Bitwarden CLI 2026.4.0 was compromised in the Checkmarx supply chain campaign after attackers abused a GitHub Action in Bitwarden’s CI/CD pipeline.

Published:

23 april 2026 om 13:07:13

Alert date:

23 april 2026 om 15:02:55

Source:

socket.dev

Supply Chain & Dependencies, Security Tools

Socket researchers discovered that Bitwarden CLI version 2026.4.0 was compromised as part of the ongoing Checkmarx supply chain campaign. The attack leveraged a compromised GitHub Action in Bitwarden's CI/CD pipeline, with malicious code published in the bw1.js file. This compromise follows the same GitHub Actions supply chain attack vector identified in the broader Checkmarx campaign affecting multiple repositories. The attack represents an active supply chain compromise targeting development tools and CI/CD pipelines.

Technical details

The Bitwarden CLI was compromised as part of an ongoing supply chain campaign. The attack leveraged a compromised GitHub Action in Bitwarden's CI/CD pipeline. Malicious code was published in the bw1.js file included in the package contents. The compromise follows the same GitHub Actions supply chain vector identified in the broader Checkmarx campaign.

Mitigation steps:

Review CI logs for signs of compromise and rotate any secrets that may have been exposed to the compromised workflow

Affected products:

[object Object]