top of page
perceptive_background_267k.jpg

Bitwarden CLI Compromised in Ongoing Checkmarx Supply Chain Campaign

Published:

23 April 2026 at 13:42:00

Alert date:

23 April 2026 at 15:02:55

Source:

thehackernews.com

Click to open the original link from this advisory

Supply Chain & Dependencies, Security Tools, Data Breach & Exfiltration

Bitwarden CLI has been compromised as part of an ongoing Checkmarx supply chain campaign discovered by Socket. The affected package version is @bitwarden/cli@2026.4.0, with malicious code published in 'bw1.js' file included in the package contents. This represents an active supply chain attack targeting the popular password manager's command-line interface tool. The attack appears to have leveraged compromised package distribution to inject malicious code into legitimate software. Organizations using the affected Bitwarden CLI version should take immediate action to assess potential impact.

Technical details

The attack compromised @bitwarden/cli@2026.4.0 by leveraging a compromised GitHub Action in Bitwarden's CI/CD pipeline. Malicious code was published in 'bw1.js' file included in the package contents. The threat actors used stolen GitHub tokens to inject a new GitHub Actions workflow that captures secrets available to the workflow run, and used harvested npm credentials to push malicious versions of the package. This appears to be the first time a package using NPM trusted publishing has been compromised. The malicious package steals GitHub/npm tokens, .ssh, .env, shell history, GitHub Actions and cloud secrets, then exfiltrates the data to private domains and as GitHub commits.

Mitigation steps:

Users who downloaded the package from npm between 5:57 PM and 7:30 PM (ET) on April 22, 2026 should check for compromise. The malicious npm release has been deprecated and compromised access was revoked. Organizations should monitor for unauthorized GitHub commits containing sensitive data and review security tools to detect data exfiltration to GitHub repositories.

Affected products:

@bitwarden/cli@2026.4.0
Bitwarden CLI

Related links:

https://www.npmjs.com/package/@bitwarden/cli?activeTab=versions
https://thehackernews.com/2026/04/malicious-kics-docker-images-and-vs.html
https://socket.dev/npm/package/@bitwarden/cli/overview/2026.4.0
https://socket.dev/blog/bitwarden-cli-compromised
https://x.com/JFrogSecurity/status/2047268576071991766
https://github.com/bitwarden/clients/blob/03df1ecd86132e06643d24c856d8976d1b497945/.github/workflows/publish-cli.yml
https://x.com/adnanthekhan/status/2047276201429897679
https://x.com/pcpcats/
https://www.ox.security/blog/shai-hulud-bitwarden-cli-supply-chain-attack/
https://thehackernews.com/2025/11/second-sha1-hulud-wave-affects-25000.html

Related CVE's:

Related threat actors:

IOC's:

bw1.js, String: 'Shai-Hulud: The Third Coming'

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page