Key Findings

• TeamPCP compromised the widely-used @bitwarden/cli npm package on April 20, 2026, targeting developers who rely on Bitwarden for credential management

• The attack leveraged Dependabot, GitHub's trusted automation bot, to pull a trojanized Checkmarx KICS Docker image and execute malware with CI privileges

• Shai-Hulud malware uses GitHub itself as a fallback command and control server when primary infrastructure is blocked, making it unusually resilient

• The worm injects code into developer shell startup files to poison AI coding assistants like Claude Code, Gemini CLI, and Aider

• Victims' stolen credentials are uploaded to newly created repositories under their own GitHub accounts, disguising the theft as normal developer activity

Background

Bitwarden is an open-source password manager that encrypts and stores sensitive data like passwords, API keys, and secure notes. The CLI tool allows developers to access their vaults directly from the terminal, making it popular for automation, scripts, and CI pipelines. The npm package @bitwarden/cli is the standard distribution method, deeply integrated into many development workflows.

The Dependabot Pivot

What makes this attack particularly dangerous is how it bypassed human oversight entirely. Dependabot is a GitHub automation tool designed to improve security by automatically checking for dependency updates. On April 22, 2026, it automatically fetched a compromised checkmarx/kics Docker image during a routine update cycle.

Since Dependabot runs with elevated CI permissions, the malware executed immediately with access to repository secrets. No developer had to click anything suspicious. No security review could stop it. As lead researcher Guillaume Valadon noted, because the bot ran automatically, "no one was watching."

Shai-Hulud: A Self-Propagating Worm

The malware deployed in this attack, tracked as Shai-Hulud or CanisterSprawl, is designed to survive infrastructure takedowns. If its primary command server at auditcheckmarxcx goes offline, it automatically falls back to using GitHub itself as a control point.

The worm searches public GitHub commits for the tag "LongLiveTheResistanceAgainstMachines" to find new instructions. In one instance, hackers broadcasted updated exfiltration domains through a repository called helloworm00/hello-world. The malware then creates repositories under victim accounts to upload stolen credentials, making the theft appear indistinguishable from legitimate development activity.

Targeting AI Development Tools

A particularly concerning aspect of Shai-Hulud is its focus on poisoning AI coding assistants. The malware specifically hunts for six tools: Claude Code, Gemini CLI, Codex CLI, Kiro CLI, Aider, and OpenCode.

When found, it injects a 3,500-byte code block into the ~/.bashrc and ~/.zshrc shell startup files. These files execute automatically whenever a developer opens their terminal, ensuring the malware runs persistently and potentially compromises every command the developer executes through their AI assistant.

Recommendations for Prevention

Researchers stress that organizations should implement a cooldown period before installing new dependency updates. Even a brief delay gives the security community time to identify and flag malicious packages before they reach production systems. This simple measure could have stopped this attack before it gained widespread distribution.

Sources

• https://hackread.com/teampcp-bitwarden-cli-dependabot-shai-hulud-malware/

• https://x.com/HackRead/status/2047679894004355378

• https://www.reddit.com/r/InfoSecNews/comments/1sugmsy/teampcp_hijacks_bitwarden_cli_uses_dependabot_to/

• https://news.backbox.org/2026/04/24/teampcp-hijacks-bitwarden-cli-uses-dependabot-to-deploy-shai-hulud-malware/