CyberSecurity News

Bitwarden CLI Compromised: GitHub Actions Supply Chain Attack

Bitwarden CLI version 2026.4.0 has been compromised, Socket confirmed, tying the incident to the ongoing Checkmarx supply chain campaign. This breach exposes millions of users and thousands of...

Sarah simpson
Sarah simpson
April 23, 2026 3 Min Read
10 0

Bitwarden CLI version 2026.4.0 has been compromised, Socket confirmed, tying the incident to the ongoing Checkmarx supply chain campaign. This breach exposes millions of users and thousands of enterprises to credential theft and CI/CD pipeline infiltration.

The attack targeted @bitwarden/cli 2026.4.0 on npm, injecting a malicious file named bw1.js into the package contents. Bitwarden CLI is used by over 10 million users and 50,000+ businesses, making it one of the highest-impact targets in the campaign to date.

Notably, only the npm CLI package was affected. Bitwarden’s Chrome extension, MCP server, and other official distribution channels remain uncompromised.

Attackers exploited a compromised GitHub Action within Bitwarden’s CI/CD pipeline, the same supply chain vector identified in the broader Checkmarx campaign documented by Socket researchers.

The malicious bw1.js payload shares core infrastructure with the previously analyzed mcpAddon.js, including an identical C2 endpoint (audit.checkmarx[.]cx/v1/telemetry) obfuscated via __decodeScrambled with seed 0x3039.

The payload employed a sophisticated multi-stage architecture:

  • Credential harvesting targeting GitHub tokens via Runner.Worker memory scraping, AWS credentials from ~/.aws/, Azure tokens via azd, GCP credentials via gcloud, npm tokens from .npmrc, SSH keys, and Claude/MCP configuration files
  • GitHub exfiltration by creating public repositories under victim accounts using Dune-themed naming conventions ({word}-{word}-{3digits}), with encrypted results committed and tokens embedded in commit messages
  • Supply chain propagation through npm token theft to identify writable packages and republish them with injected preinstall hooks, alongside GitHub Actions workflow injection to capture repository secrets
  • Shell persistence by injecting payloads into ~/.bashrc and ~/.zshrc
  • Russian locale kill switch that exits silently if the system locale begins with “ru”

The payload runs on Bun v1.3.13, downloaded directly from GitHub releases.

While the shared tooling links this attack to the Checkmarx malware ecosystem, several indicators suggest a different — or evolved — operator. The malicious payload carries explicit ideological branding: repository descriptions reference “Shai-Hulud: The Third Coming,” debug strings invoke “Butlerian Jihad,” and commit messages proclaim resistance against machines.

This contrasts sharply with the earlier Checkmarx campaign, which used deceptive but neutral-looking descriptions. Socket researchers note this could indicate a splinter group, a different operator sharing infrastructure, or a deliberate shift in the campaign’s posture.

Organizations that installed the compromised package should treat this as a full credential exposure event. Immediate steps include:

  • Remove the affected package from all developer systems and build environments
  • Rotate all potentially exposed credentials — GitHub tokens, npm tokens, cloud credentials, SSH keys, and CI/CD secrets
  • Audit GitHub for unauthorized repository creation, unexpected workflow files under .github/workflows/, and Dune-themed staging repositories
  • Hunt for the persistence lock file at /tmp/tmp.987654321.lock and unauthorized modifications to shell profiles
  • Monitor for outbound connections to audit.checkmarx[.]cx and unusual Bun runtime execution

Long-term hardening should include locking down token scopes, enforcing short-lived credentials, restricting package publish permissions, and hardening GitHub Actions with least-privilege configurations.

IOC Summary

Indicator Details
Malicious Package @bitwarden/cli 2026.4.0
Malicious File bw1.js
C2 Endpoint audit.checkmarx[.]cx/v1/telemetry
Lock File /tmp/tmp.987654321.lock
Staging Repo Pattern {word}-{word}-{3digits}

Socket’s security research team continues to investigate the full scope of the campaign. Organizations are urged to treat any exposure to this package version as a confirmed incident until further analysis is complete.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitMalwareSecurity

Share Article

Sarah simpson

Sarah simpson

Sarah is a cybersecurity journalist specializing in threat intelligence and malware analysis. With over 8 years of experience covering APT groups, zero-day exploits, and advanced persistent threats, Sarah brings deep technical expertise to breaking cybersecurity news. Previously, she worked as a security researcher at leading threat intelligence firms, where she analyzed malware samples and tracked cybercriminal operations. Sarah holds a Master's degree in Computer Science with a focus on cybersecurity and is a regular contributor to major security conferences.

No Comment! Be the first one.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts