Malicious Bitwarden CLI npm Package Stole Secrets in Supply-Chain Breach
Bitwarden confirmed that attackers briefly distributed a malicious @bitwarden/cli package, version 2026.4.0, through npm after compromising the CLI release process. The trojanized package was available for roughly 90 minutes on April 22 and was downloaded by a limited number of users before being removed. Bitwarden said the incident was confined to the npm-distributed command-line tool and did not affect its main password manager, customer vault data, production systems, or production data. The company revoked compromised access, deprecated the release, and directed affected users to remove the package, clear npm cache, rotate exposed secrets, and upgrade to 2026.4.1 or use trusted signed binaries.
Security researchers linked the breach to a wider software supply-chain campaign tied to compromised Checkmarx infrastructure and CI/CD workflows, including abuse of GitHub Actions trusted publishing. Analyses said the payload harvested GitHub and npm tokens, SSH keys, cloud credentials, environment variables, shell history, and cryptocurrency wallet files such as MetaMask, Phantom, and Solana data, making the incident especially dangerous for organizations using Bitwarden CLI in automated pipelines. Researchers also reported worm-like propagation, encrypted exfiltration to audit.checkmarx.cx, fallback GitHub-based command-and-control, memory scraping on self-hosted runners, and attempts to poison AI coding assistants by appending hidden text to shell startup files.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
Bitwarden issues remediation guidance and clean version
Bitwarden advised affected users to uninstall version 2026.4.0, clear npm cache, disable npm install scripts during cleanup, rotate exposed secrets, and install version 2026.4.1. Other reporting also recommended downgrading to 2026.3.0 or using official signed binaries until remediation was complete.
Technical analyses reveal broader malware capabilities
Public analyses on 2026-04-23 described the payload's additional behaviors, including GitHub Actions secrets dumping, self-propagation, fallback exfiltration via GitHub commits, and AI-assistant poisoning through shell profile modifications. Researchers also highlighted use of the audit.checkmarx.cx infrastructure and a CIS-language execution exclusion pattern.
Bitwarden confirms compromise and removes malicious release
Bitwarden confirmed that @bitwarden/cli 2026.4.0 had been maliciously distributed through npm, revoked compromised access, and deprecated the affected release. The company stated the incident was limited to the npm-distributed CLI and did not affect the main Bitwarden password manager, production systems, or user vault data.
Researchers detect and verify the malicious npm package
On 2026-04-23, security researchers including Socket identified the Bitwarden CLI npm compromise and linked it to the broader TeamPCP/Checkmarx supply-chain activity. Open Source Malware also recorded the package as reported and verified that same day.
Compromised package available for about 90 minutes
Bitwarden said the malicious npm release was available only from 5:57 PM to 7:30 PM ET on 2026-04-22. A Bitwarden community moderator later said 334 users downloaded the package during that window.
Malicious Bitwarden CLI package published to npm
Attackers published a malicious @bitwarden/cli version 2026.4.0 to npm after compromising Bitwarden's CLI release process, reportedly via GitHub Actions trusted publishing. The package included install-time malware that stole tokens, keys, environment data, and in some analyses targeted cryptocurrency wallet files.
Trojanized Checkmarx KICS image reaches Bitwarden-related CI workflows
A compromised Checkmarx KICS Docker image was pulled by Dependabot into at least one victim environment on 2026-04-22, providing an apparent initial access path into Bitwarden-related CI/CD workflows. Multiple reports link the later Bitwarden CLI compromise to this broader Checkmarx/TeamPCP supply-chain campaign.
Sources
7 references tracked. Mallory keeps watching after this page renders.
@bitwarden/cli - npm
npmjs.com
Open sourceBitwarden Confirms Compromise-Here Are The Facts
forbes.com
Open sourceCompromised Bitwarden CLI Poisons AI Assistants and Spreads as npm Worm
mend.io
Open sourceBitwarden CLI Supply Chain Attack Puts Crypto Wallet Keys at Risk
beincrypto.com
Open source@bitwarden/cli - GitGuardian Views on helloworm00
blog.gitguardian.com
Open sourceRun #24838719458 · actions-security-demo/compromised-packages | StepSecurity
app.stepsecurity.io
Open source@bitwarden/cli - Malicious NPM Package
opensourcemalware.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Bitwarden CLI npm Package Hijacked to Steal Developer and Cloud Credentials
A malicious version of Bitwarden’s CLI package, `@bitwarden/cli` `2026.4.0`, was published to npm after attackers reportedly abused a compromised GitHub Action in Bitwarden’s CI/CD pipeline. The tainted release was available for about 90 minutes and was limited to the npm distribution channel; Bitwarden said its Chrome extension, MCP server, other official distribution paths, production systems, vault data, and legitimate CLI codebase were not affected. Researchers linked the incident to a broader software supply-chain campaign associated with infrastructure seen in the Checkmarx breach, with some reporting also tying the activity to **TeamPCP**. The package reportedly used a malicious install chain that dropped files including `bw1.js`, fetched the Bun runtime, and executed a multi-stage payload designed to harvest GitHub, npm, AWS, Azure, GCP, SSH, and AI-tool credentials, including `~/.claude.json` and MCP-related configuration files. Investigators said the malware exfiltrated data through attacker-controlled infrastructure including `audit.checkmarx[.]cx`, attempted persistence and self-propagation, and could enable follow-on compromise of repositories and GitHub Actions workflows. Security firms advised anyone who installed `@bitwarden/cli` `2026.4.0` to remove it, downgrade to a known-safe version such as `2026.3.0`, rotate all potentially exposed secrets, inspect repositories and CI/CD workflows for unauthorized changes, and monitor for indicators including `/tmp/tmp.987654321.lock` and outbound connections to the command-and-control domain.
Apr 27, 2026
Malicious Bitwarden CLI Package Harvested Secrets Across Developer and CI Environments
A malicious package masquerading as **`@bitwarden/cli@2026.4.0`** was analyzed as an obfuscated JavaScript supply-chain implant built to steal credentials and secrets from developer workstations and CI systems. The malware searched local files and shell environments for sensitive data, then targeted cloud and automation platforms including **GitHub Actions**, **Azure Key Vault**, and **Google Cloud Secret Manager**. It also attempted to validate and reuse stolen **GitHub** and **npm** tokens, indicating an effort to expand access and potentially propagate through software development ecosystems. The implant used multiple exfiltration channels to move stolen data to attacker-controlled infrastructure, including encrypted HTTPS transmission and fallback delivery through attacker-created GitHub repositories. Its code included anti-analysis and operational safeguards such as environment checks, single-instance locking, daemonization, batching, timeout handling, and logic to avoid execution in Russian-language contexts. The activity reflects a software supply-chain threat aimed at quietly extracting high-value secrets from endpoints and build pipelines while maintaining resilience against disruption and investigation.
May 24, 2026
Supply Chain Attack Trojans Checkmarx Artifacts and Bitwarden CLI Package
A supply chain attack compromised multiple **Checkmarx** distribution channels, including **KICS Docker images**, the **Checkmarx VS Code extension**, and the `ast-github-action` GitHub Action, with the malicious artifacts built to collect, encrypt, and exfiltrate secrets from affected environments. Reporting linked the activity to **TeamPCP**, which publicly claimed responsibility, and described the campaign as distinct from an earlier March incident involving Checkmarx. The activity later expanded to the **Bitwarden CLI** ecosystem, where a malicious version of the npm package `@bitwarden/cli` was briefly published. The trojanized VS Code extensions were also reported to target **npm tokens**, raising the risk of follow-on supply chain compromise, while some malicious Docker images were removed by about **18:20 UTC** on April 22; however, the compromised extensions reportedly remained available on **OpenVSX** into April 23.
Jun 8, 2026