The Bitwarden CLI was briefly compromised after attackers uploaded a malicious @bitwarden/cli bundle to npm containing a credential-stealing payload able to spreading to different tasks.
In response to reviews by Socket, JFrog, and OX Safety, the malicious bundle was distributed as model 2026.4.0 and remained out there between 5:57 PM and seven:30 PM ET on April 22, 2026, earlier than being eliminated.
Bitwarden confirmed the incident, stating that the breach affected solely its npm distribution channel for the CLI npm bundle and solely those that downloaded the malicious model.
“The investigation discovered no proof that finish consumer vault knowledge was accessed or in danger, or that manufacturing knowledge or manufacturing methods had been compromised. As soon as the difficulty was detected, compromised entry was revoked, the malicious npm launch was deprecated, and remediation steps had been initiated instantly,” Bitwarden shared in a assertion.
“The difficulty affected the npm distribution mechanism for the CLI throughout that restricted window, not the integrity of the respectable Bitwarden CLI codebase or saved vault knowledge.”
Bitwarden says it revoked the compromised entry and deprecated the affected CLI npm launch.
The Bitwarden provide chain assault
In response to Socket, risk actors seem to have used a compromised GitHub Motion in Bitwarden’s CI/CD pipeline to inject malicious code into the CLI npm bundle.
In response to JFrog, the bundle was modified in order that the preinstall script and the CLI entry level use a customized loader named bw_setup.js, which checks for the Bun runtime and, if it doesn’t exist, downloads it.
The loader then makes use of the Bun runtime to launch an obfuscated JavaScript file named bw1.js, which acts as credential-stealing malware.
Supply: Jfrog
As soon as executed, the malware collects a variety of secrets and techniques from contaminated methods, together with npm tokens, GitHub authentication tokens, SSH keys, and cloud credentials for AWS, Azure, and Google Cloud.
The malware encrypts the collected knowledge utilizing AES-256-GCM and exfiltrates it by creating public GitHub repositories below the sufferer’s account, the place the encrypted knowledge is saved.
OX Safety says that these created repositories comprise the string “Shai-Hulud: The Third Coming,” a reference to earlier npm provide chain assaults that used an analogous technique and textual content string when exfiltrating stolen knowledge.
Supply: OX Safety
The malware additionally options self-propagation capabilities, with OX Safety reporting that it could possibly use stolen npm credentials to determine packages the sufferer can modify and inject them with malicious code.
Socket additionally noticed that the payload targets CI/CD environments and makes an attempt to reap secrets and techniques that may be reused to broaden the assault.
The assault comes after Checkmarx disclosed a separate provide chain incident yesterday that impacts its KICS Docker pictures, GitHub Actions, and developer extensions.
Whereas it’s not recognized how the risk actors gained entry to Bitwarden’s account to publish the malicious NPM, Socket advised BleepingComputer that there are overlapping indicators between the Checkmarx breach and this assault.
“The connection is on the malware and infrastructure stage. Within the Bitwarden case, the malicious payload makes use of the identical audit.checkmarx[.]cx/v1/telemetry endpoint that appeared within the Checkmarx incident. It additionally makes use of the identical __decodeScrambled obfuscation routine with the seed 0x3039, and exhibits the identical basic sample of credential theft, GitHub-based exfiltration, and provide chain propagation habits,” Socket advised BleepingComputer.
“That overlap goes past a superficial resemblance. The Bitwarden payload accommodates the identical type of embedded gzip+base64 elements we noticed within the earlier malware, together with tooling for credential assortment and downstream abuse.”
Each campaigns have been linked to a risk actor often called TeamPCP, who beforehand focused developer packages within the large Trivy and LiteLLM provide chain assaults.
Builders who put in the affected model ought to deal with their methods and credentials as compromised and rotate all uncovered credentials, particularly these used for CI/CD pipelines, cloud storage, and developer environments.
AI chained 4 zero-days into one exploit that bypassed each renderer and OS sandboxes. A wave of recent exploits is coming.
On the Autonomous Validation Summit (Could 12 & 14), see how autonomous, context-rich validation finds what’s exploitable, proves controls maintain, and closes the remediation loop.
