Bitwarden CLI hit by credential-stealing malware in coordinated supply chain attack

A malicious version of the Bitwarden command-line interface (CLI) was briefly distributed via the npm registry following a breach of the developer's build pipeline, marking a significant escalation in a month-long supply chain campaign.

On April 22, 2026, attackers compromised a GitHub Action used in Bitwarden’s CI/CD pipeline to publish a trojanized version of the CLI, labeled version 2026.4.0, to the official npm registry. The malicious package was live for approximately 93 minutes (between 5:57 PM and 7:30 PM ET) before Bitwarden security teams detected the anomaly, revoked access, and deprecated the release.

The anatomy of the infection

The attack, attributed to the threat group TeamPCP, utilized a sophisticated payload dubbed "Shai-Hulud: The Third Coming." Once a developer or automated system executed npm install, a preinstall script triggered the following sequence:

• Credential harvesting: The malware systematically scanned for GitHub and npm tokens, SSH keys, and cloud provider credentials (AWS, Azure, and GCP).

• AI tool targeting: In a modern twist, the payload specifically targeted configurations for AI coding assistants, including Claude Code, Cursor, Aider, and MCP (Model Context Protocol) files.

• Stealthy exfiltration: Stolen data was encrypted via AES-256-GCM and sent to a fraudulent command-and-control (C2) domain, audit.checkmarx[.]cx, designed to mimic legitimate security telemetry.

• Self-propagation: If a valid GitHub token was found, the malware attempted to inject malicious workflows into the victim’s repositories, effectively turning the compromised machine into a pivot point for further attacks.

The Checkmarx connection

This incident is directly linked to a broader campaign that hit the security firm Checkmarx on the same day. Attackers poisoned Checkmarx’s KICS (Keeping Infrastructure as Code Secure) Docker images and VS Code extensions. Both attacks shared identical C2 infrastructure and obfuscation techniques, suggesting a highly organized effort to compromise high-trust developer tools.

Bitwarden’s response

Bitwarden has emphasized that end-user vault data remained secure throughout the incident. The breach was confined to the npm distribution channel and did not impact the core Bitwarden codebase, browser extensions, or mobile apps.

"Our investigation found no evidence that production data or production systems were compromised," Bitwarden stated. "The issue affected the npm distribution mechanism for the CLI during a limited window; it did not affect the integrity of legitimate Bitwarden vault data."

Remediation steps for developers

Security researchers from JFrog and Socket advise any user who interacted with the Bitwarden CLI during the 93-minute window to take immediate action:

• Uninstall and purge: Run npm uninstall -g @bitwarden/cli and clear the npm cache using npm cache clean --force.

• Rotate all secrets: Treat any credentials stored on the machine, including cloud keys, SSH keys, and GitHub PATs, as compromised.

• Audit workflows: Check .github/workflows for unauthorized changes or new, suspicious public repositories created under your account.

• Update: Install the verified version 2026.4.1 or later, which contains the necessary security fixes and a clean build.