Key Findings

• Bitwarden CLI version 2026.4.0 was compromised through a malicious GitHub Action in the project's CI/CD pipeline, affecting the npm distribution mechanism

• The attack was part of the ongoing Checkmarx supply chain campaign, likely orchestrated by threat actor TeamPCP

• Malicious code in bw1.js executed a preinstall hook that stole GitHub tokens, npm credentials, SSH keys, cloud secrets, and shell history

• Stolen data was exfiltrated to a fake Checkmarx domain (audit.checkmarx[.]cx) with GitHub repositories used as fallback command and control

• The malicious package was available for only 93 minutes on April 22, 2026, between 5:57 PM and 7:30 PM ET

• Bitwarden confirmed no end-user vault data or production systems were compromised

Background

The Checkmarx supply chain campaign emerged as a sophisticated threat targeting developers and open-source projects. Threat actors discovered they could abuse compromised GitHub Actions to inject malicious workflows into CI/CD pipelines, allowing them to publish poisoned packages directly to package managers. The campaign gained notoriety for its coordinated approach and has now expanded beyond its initial targets to popular developer tools like Bitwarden CLI, which has around 78,000 weekly downloads.

Attack Mechanism and Payload Delivery

The compromise exploited a weakened link in Bitwarden's build pipeline. Once attackers gained control of a GitHub Action, they weaponized it to publish version 2026.4.0 of the npm package with embedded malicious code. The malware used a two-stage delivery system: a lightweight loader (bw_setup.js) that downloaded the legitimate Bun JavaScript runtime from GitHub to avoid detection, followed by a heavily obfuscated 10 MB payload (bw1.js) containing the actual credential harvester.

The attack required no user interaction beyond running a standard npm install command. The preinstall hook triggered automatically, executing the malicious code before legitimate package contents were processed.

Credential Theft and Data Exfiltration

The malware implemented comprehensive credential harvesting across multiple attack surfaces. It scanned local systems for SSH keys, .env files, shell history, and Git configuration data while simultaneously querying cloud credential managers like AWS SSM Parameter Store, AWS Secrets Manager, Azure Key Vault, and GCP Secret Manager using ambient credentials already present on compromised machines.

Developers using this version on cloud-connected systems effectively exposed their entire secrets infrastructure. The malware also targeted AI coding tool configurations including Claude, Cursor, Kiro, Aider, and Codex CLI, expanding the attack surface to newer developer workflows.

Stolen data was encrypted using AES-256-GCM and sent to the fraudulent Checkmarx domain. If that failed, the malware resorted to creating public GitHub repositories under the victim's account and committing stolen data there, turning a legitimate platform into an exfiltration channel.

Secondary Propagation and Token Abuse

The attack exhibited worm-like characteristics through secondary infection chains. Attackers weaponized stolen GitHub tokens to inject new malicious GitHub Actions workflows into repositories accessible by those tokens, capturing additional secrets during workflow execution. This approach transformed individual developer compromises into broader organizational breaches.

Stolen npm credentials were particularly valuable, allowing attackers to publish additional malicious package versions that would reach downstream users. Security researcher Adnan Khan noted this was likely the first time npm's trusted publishing mechanism was exploited in this manner, representing an escalation in supply chain attack sophistication.

Campaign Attribution and Operational Details

The malware included the string "Shai-Hulud: The Third Coming," suggesting connection to a previous supply chain campaign. Threat actors used Dune-themed naming conventions for exfiltration repositories in the format "<word>-<word>-<3 digits>," mirroring tactics from earlier incidents.

An interesting operational quirk emerged: the malware was programmed to stop executing on systems with Russian locale settings, suggesting ideological motivations or geographic constraints on the attackers' campaign. This detail, combined with shifted operational signatures compared to earlier Checkmarx incidents, has complicated attribution efforts. Security researchers debate whether this represents a different operator using shared infrastructure, a splinter faction, or intentional misdirection.

Threat actor TeamPCP's X account was suspended after the campaign became public, though the underlying infrastructure and stolen data repositories remain concerning.

Impact Assessment and Response

Bitwarden's swift response limited the blast radius considerably. The malicious package remained available for just 93 minutes before detection and removal. The company found no evidence that end-user vault data was accessed or that production systems were compromised, focusing damage on developer credentials rather than user passwords.

However, researchers emphasized the danger posed by public GitHub exfiltration repositories. Once stolen credentials appear in searchable public repositories, they escape the attacker's exclusive control, becoming accessible to security researchers, other threat actors, and potentially automated scanners. This transforms a targeted incident into a broader exposure problem.

Anyone who installed the affected version during that window faces potential compromise of their personal and organizational credentials. Bitwarden issued a CVE and recommended all affected users rotate their secrets immediately.

Sources

• https://thehackernews.com/2026/04/bitwarden-cli-compromised-in-ongoing.html

• https://securityaffairs.com/191215/uncategorized/checkmarx-supply-chain-attack-impacts-bitwarden-npm-distribution-path.html

• https://socket.dev/blog/bitwarden-cli-compromised

• https://www.linkedin.com/posts/stamper_bitwarden-cli-compromised-in-ongoing-checkmarx-activity-7453150781081526273-qqIz

• https://www.endorlabs.com/learn/shai-hulud-the-third-coming----inside-the-bitwarden-cli-2026-4-0-supply-chain-attack

• https://www.reddit.com/r/sysadmin/comments/1stqsjm/bitwarden_cli_compromised_in_ongoing_checkmarx/