Bitwarden CLI npm Package Hijacked to Steal Developer and Cloud Credentials
A malicious version of Bitwarden’s CLI package, @bitwarden/cli 2026.4.0, was published to npm after attackers reportedly abused a compromised GitHub Action in Bitwarden’s CI/CD pipeline. The tainted release was available for about 90 minutes and was limited to the npm distribution channel; Bitwarden said its Chrome extension, MCP server, other official distribution paths, production systems, vault data, and legitimate CLI codebase were not affected. Researchers linked the incident to a broader software supply-chain campaign associated with infrastructure seen in the Checkmarx breach, with some reporting also tying the activity to TeamPCP.
The package reportedly used a malicious install chain that dropped files including bw1.js, fetched the Bun runtime, and executed a multi-stage payload designed to harvest GitHub, npm, AWS, Azure, GCP, SSH, and AI-tool credentials, including ~/.claude.json and MCP-related configuration files. Investigators said the malware exfiltrated data through attacker-controlled infrastructure including audit.checkmarx[.]cx, attempted persistence and self-propagation, and could enable follow-on compromise of repositories and GitHub Actions workflows. Security firms advised anyone who installed @bitwarden/cli 2026.4.0 to remove it, downgrade to a known-safe version such as 2026.3.0, rotate all potentially exposed secrets, inspect repositories and CI/CD workflows for unauthorized changes, and monitor for indicators including /tmp/tmp.987654321.lock and outbound connections to the command-and-control domain.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Bitwarden releases clean @bitwarden/cli 2026.4.1
Bitwarden released a clean npm package version, @bitwarden/cli 2026.4.1, on 2026-04-23 after deprecating the malicious 2026.4.0 release. The company also said a CVE was being issued for the incident.
Security firms publish IOCs and remediation guidance
Researchers and vendors released technical details including malicious files, hashes, network indicators, and the C2 domain, and advised users to remove or downgrade the package, rotate exposed secrets, and audit repositories and workflows for unauthorized changes. Impacted organizations were told to treat installation of @bitwarden/cli 2026.4.0 as a full credential exposure incident.
Bitwarden says incident was limited to npm CLI package
Bitwarden stated that the compromise was confined to the npm-distributed CLI package and that there was no evidence of compromised vault data, production data, production systems, or the legitimate CLI codebase. Other official channels such as the Chrome extension and MCP server were reported as unaffected.
Attack tied to broader Checkmarx campaign and TeamPCP tooling
Researchers reported infrastructure and behavioral overlaps between the Bitwarden package compromise and the broader Checkmarx-related supply-chain campaign, including the audit.checkmarx.cx C2. The activity was also associated with TeamPCP, previously linked to the Trivy and LiteLLM supply-chain attacks.
Researchers link Bitwarden npm compromise to CI/CD GitHub Action abuse
Analysis by Socket, JFrog, OX Security, and others found the malicious package stemmed from abuse of a compromised GitHub Action in Bitwarden's CI/CD pipeline. The payload used multi-stage malware to steal developer, cloud, GitHub, SSH, and AI-tool credentials and attempted supply-chain propagation.
Malicious @bitwarden/cli 2026.4.0 published to npm
Attackers published a trojanized version of Bitwarden's CLI package, @bitwarden/cli 2026.4.0, to npm on 2026-04-22. The malicious release was available for about 90 minutes and affected only the npm distribution channel for the CLI package.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
24 references tracked. Mallory keeps watching after this page renders.
93 Minutes on npm: Inside the Bitwarden CLI Supply Chain Attack | by Sigmund Brandstaetter CISSP, CCSP, CISM, OSCP, CEH | Apr, 2026 | OSINT Team
osintteam.blog
Open sourceBitwarden Statement on Checkmarx Supply Chain Incident - Infosec.Pub
infosec.pub
Open sourceShai-Hulud: The Third Coming - Bitwarden CLI Backdoored in Latest Supply Chain Campaign - Infosec.Pub
infosec.pub
Open sourceTeamPCP Campaign Spreads to npm via a Hijacked Bitwarden CLI - Infosec.Pub
infosec.pub
Open sourceBitwarden CLI npm package compromised to steal developer credentials
bleepingcomputer.com
Open sourceJFrog Security: Possible compromised Supply-Chain of Bitwarden CLI · Issue #20353 · bitwarden/clients
github.com
Open sourceTeamPCP Campaign Spreads to npm via a Hijacked Bitwarden CLI - JFrog Security Research
research.jfrog.com
Open sourceBitwarden CLI npm package compromised to steal developer credentials
bleepingcomputer.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Malicious Bitwarden CLI npm Package Stole Secrets in Supply-Chain Breach
Bitwarden confirmed that attackers briefly distributed a malicious `@bitwarden/cli` package, version `2026.4.0`, through npm after compromising the CLI release process. The trojanized package was available for roughly 90 minutes on April 22 and was downloaded by a limited number of users before being removed. Bitwarden said the incident was confined to the npm-distributed command-line tool and did not affect its main password manager, customer vault data, production systems, or production data. The company revoked compromised access, deprecated the release, and directed affected users to remove the package, clear npm cache, rotate exposed secrets, and upgrade to `2026.4.1` or use trusted signed binaries. Security researchers linked the breach to a wider software supply-chain campaign tied to compromised Checkmarx infrastructure and CI/CD workflows, including abuse of GitHub Actions trusted publishing. Analyses said the payload harvested GitHub and npm tokens, SSH keys, cloud credentials, environment variables, shell history, and cryptocurrency wallet files such as MetaMask, Phantom, and Solana data, making the incident especially dangerous for organizations using Bitwarden CLI in automated pipelines. Researchers also reported worm-like propagation, encrypted exfiltration to `audit.checkmarx.cx`, fallback GitHub-based command-and-control, memory scraping on self-hosted runners, and attempts to poison AI coding assistants by appending hidden text to shell startup files.
May 25, 2026
Malicious Bitwarden CLI Package Harvested Secrets Across Developer and CI Environments
A malicious package masquerading as **`@bitwarden/cli@2026.4.0`** was analyzed as an obfuscated JavaScript supply-chain implant built to steal credentials and secrets from developer workstations and CI systems. The malware searched local files and shell environments for sensitive data, then targeted cloud and automation platforms including **GitHub Actions**, **Azure Key Vault**, and **Google Cloud Secret Manager**. It also attempted to validate and reuse stolen **GitHub** and **npm** tokens, indicating an effort to expand access and potentially propagate through software development ecosystems. The implant used multiple exfiltration channels to move stolen data to attacker-controlled infrastructure, including encrypted HTTPS transmission and fallback delivery through attacker-created GitHub repositories. Its code included anti-analysis and operational safeguards such as environment checks, single-instance locking, daemonization, batching, timeout handling, and logic to avoid execution in Russian-language contexts. The activity reflects a software supply-chain threat aimed at quietly extracting high-value secrets from endpoints and build pipelines while maintaining resilience against disruption and investigation.
May 24, 2026
Supply Chain Attack Trojans Checkmarx Artifacts and Bitwarden CLI Package
A supply chain attack compromised multiple **Checkmarx** distribution channels, including **KICS Docker images**, the **Checkmarx VS Code extension**, and the `ast-github-action` GitHub Action, with the malicious artifacts built to collect, encrypt, and exfiltrate secrets from affected environments. Reporting linked the activity to **TeamPCP**, which publicly claimed responsibility, and described the campaign as distinct from an earlier March incident involving Checkmarx. The activity later expanded to the **Bitwarden CLI** ecosystem, where a malicious version of the npm package `@bitwarden/cli` was briefly published. The trojanized VS Code extensions were also reported to target **npm tokens**, raising the risk of follow-on supply chain compromise, while some malicious Docker images were removed by about **18:20 UTC** on April 22; however, the compromised extensions reportedly remained available on **OpenVSX** into April 23.
Jun 8, 2026