Bitwarden CLI Compromised in Ongoing Checkmarx Supply Chain Campaign
The Bitwarden CLI package was briefly compromised via a malicious npm release, part of a broader supply chain campaign linked to Checkmarx, stealing developer secrets and CI/CD tokens.
The Bitwarden CLI package @bitwarden/cli@2026.4.0 was compromised in an ongoing supply chain campaign linked to Checkmarx, according to findings from JFrog and Socket. The malicious code, executed via a preinstall hook, steals GitHub/npm tokens, .ssh, .env, shell history, and cloud secrets, exfiltrating data to audit.checkmarx[.]cx and GitHub. The attack leveraged a compromised GitHub Action in Bitwarden's CI/CD pipeline, consistent with patterns seen across other affected repositories in this campaign.
The malicious version was published between 5:57 PM and 7:30 PM (ET) on April 22, 2026, and has since been deprecated. The malware launches a credential stealer targeting developer secrets, GitHub Actions environments, and AI coding tool configurations including Claude, Kiro, Cursor, Codex CLI, and Aider. Stolen data is encrypted with AES-256-GCM and exfiltrated to a domain impersonating Checkmarx. If GitHub tokens are found, the malware weaponizes them to inject malicious Actions workflows into repositories and extract CI/CD secrets.
"A single developer with @bitwarden/cli@2026.4.0 installed can become the entry point for a broader supply chain compromise," StepSecurity warned. The attack follows the same GitHub Actions supply chain vector identified in the Checkmarx campaign, where threat actors abuse stolen GitHub tokens to inject workflows that capture secrets and push malicious packages to npm. Security researcher Adnan Khan noted this may be the first time a package using npm trusted publishing has been compromised.
The threat actor known as TeamPCP is suspected, and their X account has been suspended. OX Security identified the string "Shai-Hulud: The Third Coming" in the package, suggesting this could be the next phase of the supply chain attack campaign that emerged last year. "The latest Shai Hulud incident is just the latest in a long chain of threats targeting developers," said Moshe Siman Tov Bustan of OX Security. "User data is being publicly exfiltrated to GitHub, often going undetected because security tools typically don't flag data being sent there."
Bitwarden confirmed the incident, stating that no end-user vault data was accessed. "The investigation found no evidence that end user vault data was accessed or at risk," the company said. "The issue affected the npm distribution mechanism for the CLI during that limited window, not the integrity of the legitimate Bitwarden CLI codebase or stored vault data." A CVE for Bitwarden CLI version 2026.4.0 is being issued.
The campaign highlights the growing risk of supply chain attacks targeting developer tools and CI/CD pipelines. As attackers increasingly compromise trusted software delivery infrastructure, organizations must scrutinize third-party dependencies and monitor for anomalous behavior in their build environments. The use of AI coding tool configurations as a target also underscores the expanding attack surface as developers adopt AI-assisted development platforms.