Bitwarden CLI Supply Chain Attack Exposes Secrets Via GitHub Actions
Key Takeaways The npm package for Bitwarden CLI, version 2026.4.0, was compromised in a supply chain attack. The incident exposed potentially millions of users and thousands of businesses to...
Key Takeaways
- The npm package for Bitwarden CLI, version 2026.4.0, was compromised in a supply chain attack.
- The incident exposed potentially millions of users and thousands of businesses to credential theft and CI/CD pipeline infiltration.
- Attackers injected a malicious
bw1.jsfile, leveraging a compromised GitHub Action within Bitwarden’s CI/CD pipeline. - The payload harvested credentials (GitHub, AWS, Azure, GCP, npm, SSH) and included mechanisms for supply chain propagation and shell persistence.
- Organizations that installed the affected package must immediately rotate credentials, audit systems, and remove the compromised software.
Bitwarden CLI Supply Chain Attack Exposes Secrets Via GitHub Actions
The npm package for Bitwarden CLI, specifically version 2026.4.0, has been confirmed as compromised, according to security firm Socket. This incident is linked to the broader Checkmarx supply chain campaign and poses a significant threat, potentially exposing credentials for millions of users and thousands of enterprises, along with risking infiltration of CI/CD pipelines.
Table Of Content
The attack involved the injection of a malicious file named bw1.js directly into the @bitwarden/cli 2026.4.0 npm package. Given that Bitwarden CLI serves over 10 million users and more than 50,000 businesses, this compromise represents one of the most impactful targets observed in the campaign to date.
It is crucial to note that the compromise was isolated to the npm CLI package. Other official Bitwarden distribution channels, including its Chrome extension and MCP server, were not affected by this specific incident.
Attack Vector and Payload Details
The attackers exploited a compromised GitHub Action embedded within Bitwarden’s CI/CD pipeline. This vector mirrors the supply chain vulnerabilities previously identified and documented by Socket researchers in connection with the wider Checkmarx campaign.
The injected bw1.js payload shares fundamental infrastructure with the earlier mcpAddon.js malware. This includes an identical command-and-control (C2) endpoint, audit.checkmarx[.]cx/v1/telemetry, which was obfuscated using the __decodeScrambled function with a seed of 0x3039.
The malicious payload operated through a sophisticated multi-stage architecture designed for comprehensive data exfiltration and persistence:
- Credential Harvesting: It targeted a wide array of credentials, including GitHub tokens by scraping Runner.Worker memory, AWS credentials from
~/.aws/, Azure tokens viaazd, GCP credentials viagcloud, npm tokens from.npmrc, SSH keys, and Claude/MCP configuration files. - GitHub Exfiltration: The malware created public repositories under victim accounts, using a distinctive “Dune-themed” naming convention (
{word}-{word}-{3digits}). Encrypted exfiltrated data was committed to these repositories, with tokens embedded in the commit messages. - Supply Chain Propagation: Attackers stole npm tokens to identify and republish writable packages, injecting preinstall hooks. They also injected malicious GitHub Actions workflows to capture repository secrets.
- Shell Persistence: Payloads were injected into common shell profiles, specifically
~/.bashrcand~/.zshrc, to maintain persistence. - Russian Locale Kill Switch: A self-preservation mechanism caused the payload to exit silently if the system locale began with “ru,” indicating a potential aversion to operating in Russian-speaking regions.
The payload itself was designed to run on Bun v1.3.13, which it downloaded directly from GitHub releases.
Evolving Threat Landscape
While the shared tooling and infrastructure undeniably link this attack to the established Checkmarx malware ecosystem, several unique indicators suggest a potential evolution or a different operator. The malicious payload contained explicit ideological branding, with repository descriptions referencing “Shai-Hulud: The Third Coming,” debug strings invoking “Butlerian Jihad,” and commit messages proclaiming “resistance against machines.”
This overt ideological messaging stands in stark contrast to the earlier Checkmarx campaign, which typically employed deceptive but neutral descriptions. Socket researchers speculate that this could signify a splinter group, a distinct operator utilizing shared infrastructure, or a deliberate strategic shift in the campaign’s public posture.
What You Should Do
Organizations that installed Bitwarden CLI version 2026.4.0 must consider this a full credential exposure event and take immediate action:
- Remove Affected Package: Immediately remove
@bitwarden/cli 2026.4.0from all developer systems, build environments, and CI/CD pipelines. - Rotate Credentials: Promptly rotate all potentially exposed credentials, including GitHub tokens, npm tokens, cloud credentials (AWS, Azure, GCP), SSH keys, and all CI/CD secrets.
- Audit GitHub: Conduct a thorough audit of GitHub accounts for unauthorized repository creation, especially those following the
{word}-{word}-{3digits}pattern, and inspect.github/workflows/for unexpected workflow files. - Hunt for Persistence: Search for the persistence lock file at
/tmp/tmp.987654321.lockand unauthorized modifications to user shell profiles (~/.bashrc,~/.zshrc). - Monitor Network Traffic: Monitor network traffic for outbound connections to
audit.checkmarx[.]cxand look for unusual executions of the Bun runtime. - Implement Long-Term Hardening: Enforce least-privilege configurations for GitHub Actions, restrict package publish permissions, and implement short-lived, narrowly scoped tokens.
IOC Summary
| Indicator | Details |
|---|---|
| Malicious Package | @bitwarden/cli 2026.4.0 |
| Malicious File | bw1.js |
| C2 Endpoint | audit.checkmarx[.]cx/v1/telemetry |
| Lock File | /tmp/tmp.987654321.lock |
| Staging Repo Pattern | {word}-{word}-{3digits} |
The security research team at Socket continues to investigate the full scope of this campaign. Organizations are strongly advised to treat any interaction with the compromised package version as a confirmed security incident until further conclusive analysis is provided.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.