Bitwarden CLI Package Compromised
The official Bitwarden command-line interface (CLI) package hosted on the NPM registry was targeted in a supply chain attack, raising fresh alarm about the security of the open source software (OSS) ecosystem. Bitwarden is one of the most widely used open source password management platforms, recording more than 250,000 monthly downloads. The platform is trusted by enterprises to protect authentication workflows through zero-knowledge encryption, password sharing, and policy and credential management.
On Thursday, several security firms issued warnings that version 2026.4.0 of the Bitwarden CLI's NPM package had been tampered with, embedding malicious code designed to retrieve a JavaScript payload capable of stealing credentials and secrets from affected machines.
How the Attack Worked
According to analysis published by JFrog, the compromised package introduced an altered execution path that performed a series of malicious steps at install time:
- Launched a malicious loader embedded within the package
- Downloaded a Bun archive from GitHub
- Extracted the archive and executed the embedded JavaScript payload
The payload itself incorporated three distinct collectors aimed at harvesting secrets and tokens across a wide range of cloud and development platforms, including Azure, AWS, GitHub, GCP, and NPM. It also targeted SSH material, shell history, AI tooling configuration files, and MCP-related files.
Beyond passive data collection, the malware actively weaponized any discovered GitHub tokens by abusing GitHub Actions. It created repositories under victims' accounts, established branches, committed workflow files, and then downloaded the resulting artifacts to extract additional secret material from the CI/CD environment.
Exfiltration Methods
The malware attempted to exfiltrate harvested data over HTTPS, but if that channel was unavailable, it fell back to GitHub-hosted paths for delivery. JFrog highlighted the unusually broad scope of the attack framework in its analysis:
"The most notable aspect of this package is that it combines a supply chain compromise of a legitimate CLI identity with a broad post-install secret theft framework. Instead of stopping at .npmrc or a single PAT, the malware systematically pivots across local credentials, CI secrets, GitHub repositories, and multiple cloud secret stores."
Bitwarden confirmed the intrusion but emphasized that its investigation "found no evidence that end user vault data was accessed or at risk, or that production data or production systems were compromised."
Connection to the Checkmarx Attack
Researchers have linked the Bitwarden CLI compromise to a recent supply chain attack targeting Checkmarx, which affected the company's public DockerHub KICS image, its public ast-github-action, its VS Code extension, and its Developer Assist extension. Checkmarx publicly confirmed that incident on April 22, releasing details on the malicious artifacts and urging impacted users to immediately rotate their secrets and credentials.
In the Checkmarx attack, the malware was engineered to harvest credentials and exfiltrate them to the domain checkmarx[.]cx, or alternatively to repositories created under the victim's GitHub account — a technique that mirrors what was observed in the Bitwarden incident.
Security firm Socket analyzed both incidents and identified several overlapping characteristics:
- Identical embedded payload structure
- Shared credential harvesting methodology
- The same propagation technique
- A Russian locale kill switch present in both samples
Socket noted, however: "The shared tooling strongly suggests a connection to the same malware ecosystem, but the operational signatures differ in ways that complicate attribution."
TeamPCP and the Shai-Hulud Worm
Attribution remains complicated by the involvement of at least two distinct threat actors — or campaigns — in the broader pattern of attacks. The Checkmarx attack was publicly claimed by a group known as TeamPCP, which also goes by the aliases DeadCatx3, PCPcat, and ShellForce. This hacking group has been active since at least 2024 and has concentrated its activities on software supply chain attacks over the past year.
TeamPCP drew significant attention in recent months after it compromised Aqua Security's Trivy vulnerability scanner, using the access to steal secrets and pivot further into the OSS ecosystem. Socket noted that TeamPCP apparently claimed the Checkmarx incident on social media, which aligned with its previously documented targeting of the company's GitHub Actions and OpenVSX plugins during a March campaign.
The Bitwarden compromise introduces an additional layer of complexity. OX Security noted that the payload contains the string "Shai-Hulud: The Third Coming", strongly suggesting a link to the Shai-Hulud worm that previously swept through the NPM registry. The payload also references terms such as atreides, fremen, sandworm, and sardaukar — all drawn from Frank Herbert's Dune universe and consistent with the Shai-Hulud campaign's naming conventions.
JFrog acknowledged the thematic overlap but cautioned that these references do not definitively link TeamPCP to the earlier Shai-Hulud campaigns.
Shai-Hulud's History in the NPM Ecosystem
The Shai-Hulud worm first surfaced in the NPM registry in September, when it propagated to more than 180 packages by leveraging stolen developer credentials. A second wave followed in November, during which it infected over 640 packages, making it one of the most prolific NPM worm campaigns on record.
OX Security team lead Moshe Ben Siman Tov underscored the distinctive danger of exfiltrating data to GitHub repositories rather than to attacker-controlled infrastructure:
"User data is being publicly exfiltrated to GitHub, often going undetected because security tools typically don't flag data being sent there. This makes the risk significantly more dangerous: anyone searching GitHub can potentially find and access those credentials. At that point, sensitive data is no longer in the hands of a single threat actor; it's exposed to anyone."
Broader Implications for Open Source Security
The Bitwarden CLI incident is the latest in a string of high-profile supply chain compromises to strike the open source ecosystem in recent months. The combination of a trusted, widely-downloaded package identity with a sophisticated post-install payload framework represents an escalating threat model for developers and organizations that rely on OSS tooling.
Security teams are advised to audit their environments for the presence of Bitwarden CLI version 2026.4.0, immediately rotate any secrets or credentials that may have been exposed, and review GitHub repository activity for signs of unauthorized workflow execution. Organizations running CI/CD pipelines that depend on NPM packages should treat post-install scripts from even well-known packages with elevated scrutiny.
Source: SecurityWeek