Bitwarden serves over 10 million users and 50,000 businesses. On April 22, 2026, for exactly 93 minutes, its CLI was shipping malware.
This was not a phishing campaign. Nobody tricked a Bitwarden employee into clicking a link. The attackers walked straight through the CI/CD pipeline, injected malicious code into an official release, and let Bitwarden's own npm publishing mechanism do the distribution for them.
The Problem It's Solving (For the Attackers)
Supply chain attacks are effective precisely because they subvert trust. You don't need to compromise a developer's machine directly if you can compromise the tool they're already running with elevated permissions in their build pipeline.
The affected package version was @bitwarden/cli@2026.4.0, and the malicious code was published in bw1.js, a file included in the package contents. The Hacker News The Bitwarden CLI sits in a privileged position in developer environments — it's commonly used for secrets injection and automated deployments in CI/CD pipelines. That makes it a high-value target.
The compromise was connected to the ongoing Checkmarx supply chain campaign, with a threat group hijacking the npm package and injecting malicious code designed to steal sensitive data from developer workstations and CLI environments. Security Boulevard The researchers who caught it — Socket, JFrog, Ox Security, and StepSecurity — identified it as part of a broader pattern that has been running since at least March 2026.
How the Attack Actually Worked
The attackers gained access by exploiting a GitHub Actions workflow in Bitwarden's CI/CD pipeline, mirroring previously documented techniques in the Checkmarx campaign, where threat actors leveraged stolen credentials to inject malicious workflows, exfiltrate secrets, and tamper with build outputs before distribution. CyberInsider
Once inside, the payload was embedded quietly into a legitimate build. The malicious payload, embedded in a file called bw1.js, ran during package installation and harvested GitHub and npm tokens, SSH keys, environment variables, shell history, and cloud credentials. Yahoo!
The exfiltration destination is worth noting. The stolen data was encrypted with AES-256-GCM and exfiltrated to audit.checkmarx[.]cx, a domain impersonating Checkmarx. The Hacker News Typosquatting a security company's domain to hide malware traffic is a particularly cynical touch.
The blast radius doesn't stop at the developer's machine either. If GitHub tokens are found, the malware weaponizes them to inject malicious Actions workflows into repositories and extract CI/CD secrets — meaning a single developer with the affected version installed can become the entry point for a broader supply chain compromise, with the attacker gaining persistent workflow injection access to every CI/CD pipeline the developer's token can reach. The Hacker News
There's also an attribution wrinkle that security researchers are still untangling. While the shared tooling strongly suggests a connection to the same malware ecosystem as the Checkmarx campaign, the operational signatures differ: the ideological branding is embedded directly in the malware, from the Shai-Hulud repository names to the "Butlerian Jihad" manifesto payload to commit messages proclaiming resistance against machines. Socket That points to either a splinter group or a campaign evolution — not a clean attribution to TeamPCP, who claimed the original Checkmarx attack.
What Developers Are Actually Exposed To
Only the npm CLI package was affected. Bitwarden's Chrome extension, MCP server, and other official distribution channels remain uncompromised. Cyber Security News
The malicious package was active between 5:57 PM and 7:30 PM ET on April 22, 2026. Bitwarden That's a 93-minute exposure window. Narrow, but enough.
Security researcher Adnan Khan noted this is the first known compromise of a package using npm's trusted publishing mechanism, which was designed to eliminate long-lived tokens. BeInCrypto That's significant. Trusted publishing was supposed to be the hardened path. The attackers didn't bypass it — they compromised the GitHub Actions workflow upstream of it, then let the trusted mechanism publish for them.
TeamPCP's broader campaign separately targets crypto wallet data, including MetaMask, Phantom, and Solana wallet files, and has chained similar attacks against Trivy, Checkmarx, and LiteLLM since March 2026, targeting developer tools that sit deep in build pipelines. Yahoo!
Why This Is a Bigger Deal Than It Looks
Bitwarden confirmed the incident but contained the framing carefully: no end-user vault data was accessed, no production systems compromised. That's true, and it matters. But the more important story here isn't about Bitwarden specifically.
The attack is another example of the increasing cybersecurity risks to CI/CD architectures as they become more foundational in the software development pipeline, with threat actors expanding their targeting of them in supply chain campaigns. Security Boulevard
The vector — GitHub Actions compromise leading to poisoned npm releases — is repeatable. It has been used against Trivy, Checkmarx's own tooling, and LiteLLM. The Bitwarden compromise isn't an isolated incident; it's the latest iteration of a campaign that is actively refining its technique against high-trust developer tooling.
And the MCP angle is worth flagging: the malicious bw1.js payload shares core infrastructure with the previously analyzed mcpAddon.js, including an identical C2 endpoint. Cyber Security News As MCP servers proliferate across developer toolchains, they're becoming targets in the same supply chain vector. The attack surface is expanding in lockstep with adoption.
Availability and Access (What To Do Right Now)
If you installed @bitwarden/cli@2026.4.0 during the window: treat your environment as fully compromised. Rotate every secret the machine had access to — GitHub tokens, npm credentials, cloud provider keys, SSH keys, everything.
Socket recommends downgrading to version 2026.3.0 or switching to official signed binaries from Bitwarden's website. BeInCrypto
On endpoints and runners, hunt for outbound connections to audit[.]checkmarx[.]cx, execution of Bun where it is not normally used, and access to files such as .npmrc, .git-credentials, .env, and cloud credential stores. For GitHub Actions, review whether any unapproved workflows were created on transient branches. Socket
A CVE for Bitwarden CLI version 2026.4.0 is being issued in connection with this incident. CyberInsider
The Bitwarden CLI attack is a clean demonstration of where the real risk in developer infrastructure lives right now: not in the applications themselves, but in the build systems that ship them. One poisoned GitHub Actions workflow, one 93-minute publish window, and a trusted tool becomes a credential harvester running inside your pipeline with your own permissions.
The question isn't whether your password manager's vault is safe. It's whether you can verify the integrity of every tool in your build chain. Most teams can't.
Follow for more coverage on MCP, agentic AI, and AI infrastructure.
Top comments (0)