top of page
perceptive_background_267k.jpg

Bitwarden CLI Hijacked on npm: Bun-Staged Credential Stealer Targets Developers, GitHub Actions, and AI Tools

Published:

23 April 2026 at 15:23:35

Alert date:

23 April 2026 at 16:01:32

Source:

stepsecurity.io

Click to open the original link from this advisory

Supply Chain & Dependencies, Data Breach & Exfiltration, Ransomware & Malware

The official Bitwarden CLI package (@bitwarden/cli@2026.4.0) on npm was compromised with malicious code that installs a credential stealer targeting developer secrets, GitHub Actions, and AI tool configurations. The malware uses a preinstall hook to bootstrap the Bun JavaScript runtime and execute a 9.7 MB obfuscated payload. Stolen data is encrypted with AES-256-GCM and sent to audit.checkmarx.cx, a domain impersonating Checkmarx. When GitHub tokens are found, the malware injects malicious workflows into repositories to extract CI/CD secrets, creating a supply chain attack vector.

Technical details

Mitigation steps:

Affected products:

Bitwarden CLI
npm
GitHub Actions

Related links:

https://www.stepsecurity.io/blog/bitwarden-cli-hijacked-on-npm-bun-staged-credential-stealer-targets-developers-github-actions-and-ai-tools

Related CVE's:

Related threat actors:

IOC's:

audit.checkmarx.cx, @bitwarden/cli@2026.4.0

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page