top of page
perceptive_background_267k.jpg

Bitwarden CLI Hijacked on npm: Bun-Staged Credential Stealer Targets Developers, GitHub Actions, and AI Tools

Published:

24 April 2026 at 09:52:38

Alert date:

24 April 2026 at 10:01:03

Source:

stepsecurity.io

Click to open the original link from this advisory

Supply Chain & Dependencies, Data Breach & Exfiltration, Security Tools

The official Bitwarden CLI package (@bitwarden/cli@2026.4.0) was compromised on npm with a malicious preinstall hook. The attack deploys a 9.7 MB obfuscated credential stealer that targets developer secrets, GitHub Actions environments, and AI coding tool configurations. Stolen data is encrypted with AES-256-GCM and sent to audit.checkmarx.cx, a domain impersonating Checkmarx. When GitHub tokens are found, the malware injects malicious workflows into repositories to extract CI/CD secrets, creating a supply chain attack pivot point.

Technical details

Mitigation steps:

Affected products:

Bitwarden CLI
npm
GitHub Actions
Bun JavaScript Runtime

Related links:

https://www.stepsecurity.io/blog/bitwarden-cli-hijacked-on-npm-bun-staged-credential-stealer-targets-developers-github-actions-and-ai-tools

Related CVE's:

Related threat actors:

IOC's:

audit.checkmarx.cx

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page