What Happened
The official Bitwarden command-line interface (CLI) package on npm was briefly compromised on April 22, 2026, after attackers uploaded a trojanized release containing a credential-harvesting payload capable of propagating itself to downstream projects. Security firms Socket, JFrog, and OX Security each published independent analyses of the incident.
The malicious build was distributed under version 2026.4.0 and remained publicly accessible between 5:57 PM and 7:30 PM ET before it was removed — a window of approximately 90 minutes. Bitwarden confirmed the breach and stated that the impact was limited to the npm distribution channel for the CLI package.
"The investigation found no evidence that end user vault data was accessed or at risk, or that production data or production systems were compromised. Once the issue was detected, compromised access was revoked, the malicious npm release was deprecated, and remediation steps were initiated immediately." — Bitwarden
Bitwarden further clarified that the incident affected only the npm delivery mechanism during that narrow time window and did not touch the integrity of the legitimate Bitwarden CLI codebase or any stored vault data.
How the Attack Was Constructed
According to Socket's analysis, the threat actors appear to have exploited a compromised GitHub Action inside Bitwarden's CI/CD pipeline to inject malicious code directly into the CLI npm package before it was published.
JFrog's investigation revealed the technical mechanics of the payload. The package was altered so that both its preinstall script and its CLI entry point relied on a custom loader called bw_setup.js. This loader checks whether the Bun runtime is present on the target system; if it is not, the loader fetches and installs it automatically. Bun is then used to execute a heavily obfuscated JavaScript file named bw1.js, which serves as the core credential-stealing malware component.
What the Malware Stole
Once running, the malware harvested a broad range of sensitive secrets from infected machines, including:
- npm authentication tokens
- GitHub authentication tokens
- SSH private keys
- Cloud credentials for AWS, Azure, and Google Cloud
Stolen data was encrypted using AES-256-GCM before exfiltration. Rather than sending data to a traditional command-and-control server, the malware created public GitHub repositories under the victim's own account and stored the encrypted stolen data there.
OX Security noted that repositories created during exfiltration contained the string "Shai-Hulud: The Third Coming" — a reference that links this campaign to previous npm supply chain attacks that used the same method and text string to exfiltrate stolen information.
Self-Propagation Capabilities
Beyond simple credential theft, the malware includes self-spreading functionality. OX Security reported that it can use stolen npm credentials to identify packages the victim has permission to modify, then inject those packages with the same malicious code — potentially expanding the attack to entirely separate projects and their user bases.
Socket also observed that the payload specifically targets CI/CD environments and attempts to collect secrets that could be reused to broaden the attack surface further.
Connection to the Checkmarx Supply Chain Attack
This incident follows a separate supply chain compromise disclosed by Checkmarx just one day earlier, affecting its KICS Docker images, GitHub Actions, and developer extensions. Bitwarden told BleepingComputer the two incidents are directly linked, with a compromised Checkmarx-related development tool enabling the attackers to abuse the npm delivery path for the Bitwarden CLI during the limited exposure window.
Socket provided BleepingComputer with specific technical indicators that tie both attacks together:
- The malicious Bitwarden payload communicates with the same audit.checkmarx[.]cx/v1/telemetry endpoint that appeared in the Checkmarx incident.
- Both payloads use the same __decodeScrambled obfuscation routine with the seed value 0x3039.
- Both share the same general pattern of credential theft, GitHub-based exfiltration, and supply chain propagation behavior.
- The Bitwarden payload contains the same type of embedded gzip+base64 components seen in the earlier Checkmarx malware, including tooling for credential collection and downstream abuse.
"That overlap goes beyond a superficial resemblance." — Socket, speaking to BleepingComputer
Threat Actor: TeamPCP
Both the Bitwarden and Checkmarx campaigns have been attributed to a threat actor tracked as TeamPCP, the same group previously linked to the large-scale supply chain attacks targeting the Trivy and LiteLLM developer packages. The recurring use of GitHub repositories for encrypted data exfiltration, the identical obfuscation seeds, and the shared infrastructure all point to a coordinated, ongoing effort rather than opportunistic one-off attacks.
What Affected Developers Should Do
Any developer or organization that installed version 2026.4.0 of the @bitwarden/cli npm package should treat their entire system and all associated credentials as potentially compromised. Recommended immediate actions include:
- Rotate all npm tokens, GitHub personal access tokens, and SSH keys present on the affected machine.
- Revoke and regenerate cloud credentials for AWS, Azure, and Google Cloud environments.
- Audit CI/CD pipeline secrets and rotate any tokens or keys accessible from those pipelines.
- Review recently published npm packages under your account for unauthorized modifications.
- Inspect GitHub repositories for any unexpectedly created public repos that may contain exfiltrated data.
Bitwarden has confirmed that it revoked the compromised access, deprecated the malicious npm release, and initiated remediation steps immediately upon discovering the issue. Developers who did not install version 2026.4.0 during the roughly 90-minute exposure window are not believed to be at risk from this specific incident.
Source: BleepingComputer