Bitwarden CLI was hit by the Checkmarx supply chain attack. Version 2026.4.0 shipped malicious code in bw1.js via a compromised GitHub Action.
Bitwarden CLI has been compromised as part of the ongoing Checkmarx supply chain campaign, researchers warn. The affected version, @bitwarden/cli 2026.4.0, contained malicious code hidden in the bw1.js file. The breach likely stemmed from a compromised GitHub Action in Bitwarden’s CI/CD pipeline, mirroring tactics seen in other attacks in this campaign.
The compromised @bitwarden/cli@2026.4.0 package introduced a malicious preinstall hook that triggers automatically during npm install, requiring no user interaction. This hook executes bw_setup.js, a cross-platform loader that identifies the victim’s system and downloads the legitimate Bun JavaScript runtime from GitHub to run the next stage.
The second stage, bw1.js, is a 10 MB heavily obfuscated payload that, once decoded, reveals a sophisticated credential harvester and self-propagating supply chain worm. Its behavior closely matches previous Shai-Hulud campaigns, even embedding the string “Shai-Hulud: The Third Coming” for its exfiltration repository. The malware uses Dune-themed naming for stolen data repositories and includes an anti-AI manifesto it attempts to write into shell configuration files.
Attackers used stolen GitHub tokens to add malicious GitHub Actions workflows that capture secrets during runs. They also leveraged stolen npm credentials to publish infected package versions, spreading malware downstream. Researcher Adnan Khan says the Bitwarden CLI was likely released via this workflow, marking a rare compromise of NPM trusted publishing.
The malware steals sensitive data by scanning SSH keys, cloud credentials (AWS, GCP, Azure), npm tokens, Git configs, .env files, and shell history. It also pulls secrets from cloud managers using existing access. Stolen data is sent to a primary fake Checkmarx domain, with GitHub commits used as fallback C2.
JFrog researchers reports the rogue package version steals GitHub and npm tokens, SSH keys, .env data, shell history, CI secrets, and cloud credentials via a preinstall hook. It exfiltrates data to a fake Checkmarx domain and falls back to GitHub commits if needed.
The malware targets developer tools and AI coding configs, encrypts stolen data with AES-256-GCM, and abuses stolen GitHub tokens to inject malicious workflows and extract CI/CD secrets.
“The malware scans a hardcoded list of high-value credential files on the victim’s machine” reads the report published by Aikido Security. “Beyond local files, the malware also runs collectors for AWS SSM Parameter Store, AWS Secrets Manager, Azure Key Vault, and GCP Secret Manager using ambient cloud credentials. Anyone running this on a cloud-connected developer machine or CI runner loses their entire secrets infrastructure.”
The malware spreads using Shai-Hulud-style tactics. Stolen data is uploaded to a public GitHub repo created with the victim’s account. If the victim lacks org membership, their GitHub token is also exposed in a public commit, letting other infected systems reuse it. For org members, tokens remain hidden inside encrypted exfiltrated data instead.
Aikido released Indicators of Compromise (IOCs) for this campaign.
Bitwarden confirmed the incident was caused by a compromised npm distribution path during the Checkmarx campaign. The malicious @bitwarden/cli@2026.4.0 package was available only briefly on April 22, 2026. The company found no evidence of compromised vault or production data. Access was revoked, the package removed, and fixes applied. Only users who installed it during that window were affected, and a CVE is being issued.
“The Bitwarden security team identified and contained a malicious package that was briefly distributed through the npm delivery path for @bitwarden/cli@2026.4.0 between 5:57 PM and 7:30 PM (ET) on April 22, 2026, in connection with a broader Checkmarx supply chain incident.
The investigation found no evidence that end user vault data was accessed or at risk, or that production data or production systems were compromised. Once the issue was detected, compromised access was revoked, the malicious npm release was deprecated, and remediation steps were initiated immediately.” reads the statement released by Bitwarden. “The issue affected the npm distribution mechanism for the CLI during that limited window, not the integrity of the legitimate Bitwarden CLI codebase or stored vault data.
Users who did not download the package from npm during that window were not affected. Bitwarden has completed a review of internal environments, release paths, and related systems, and no additional impacted products or environments have been identified at this time. A CVE for Bitwarden CLI version 2026.4.0 is being issued in connection with this incident.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Bitwarden)
