A malicious version of the Bitwarden command-line interface (CLI) password manager was briefly distributed via the Node package manager (npm), as part of a widening supply chain attack targeting developer tooling from security vendor Checkmarx.
Researchers from supply chain security companies Socket research and JFrog both identified the compromise, which affected @bitwarden/cli@2026.4.0 for a window of 93 minutes on April 22 (April 23 AEST).
Bitwarden confirmed the incident in its community forum on April 23.
“The Bitwarden security team identified and contained a malicious package that was briefly distributed through the npm delivery path for @bitwarden/cli@2026.4.0 between 5:57 PM and 7:30 PM (ET) on April 22, 2026, in connection with a broader Checkmarx supply chain incident,” Adam Eckerle of the Bitwarden security team said.
The company said no end-user vault data was accessed and production systems were not compromised, although a CVE index is being issued for the affected version.
Bitwarden said only the CLI npm package was affected; its browser extensions, MCP server, and other distributions were not compromised.
A malicious payload was introduced through a compromised GitHub Action in Bitwarden’s continous integration/continous delivery (CI/CD) pipeline.
It was delivered inside a file named bw1.js, executed automatically via a preinstall hook the moment a developer ran npm install.
Socket researchers found the payload shares core infrastructure with the mcpAddon.js malware used in the earlier Checkmarx Keeping Infrastructure as Code Secure (KICS) attack.
This includes an identical command-and-control endpoint at audit.checkmarx[.]cx, a domain crafted to impersonate legitimate Checkmarx infrastructure.
The malware attempts to harvest a wide range of credentials.
Socket’s analysis found it targets GitHub tokens via Runner.Worker memory scraping, AWS credentials from ~/.aws/ files, Azure tokens via azd, Google Cloud credentials via gcloud, npm configuration files, SSH keys, environment variables, and Claude and MCP configuration files.
Stolen data is compressed, encrypted with AES-256-GCM, and exfiltrated to the attacker-controlled domain before being committed to automatically created public GitHub repositories under victim accounts.
Dune references and a Russian kill switch in worm
Once a developer’s npm token is stolen, the malware weaponises it to republish malicious versions of every npm package that its token can write to.
This worm-like propagation is what makes CI/CD-targeted supply chain attacks particularly corrosive: a single developer machine becomes a distribution point for further infections downstream.
Socket said that a single developer with the compromised package installed could give attackers persistent workflow injection access to every CI/CD pipeline their token can reach.
The malware also establishes persistence by injecting a payload loader into ~/.bashrc and ~/.zshrc shell files, meaning the infection survives a package removal.
Meanwhile, the bw1.js payload includes several indicators that were not present in the earlier Checkmarx attack.
Exfiltration repositories are created under Dune-themed names following the pattern {word}-{word}-{3digits}, with the repository description set to “Shai-Hulud: The Third Coming.”
The malware also contains a Russian locale kill switch: it exits silently if the system locale begins with “ru”, checking Intl.DateTimeFormat, LC_ALL, LC_MESSAGES, LANGUAGE, and LANG environment variables.
TeamPCP’s second Checkmarx attack
The threat actor group TeamPCP publicly claimed responsibility for the broader campaign after its discovery, consistent with the group’s behaviour following the March 23 attack on Checkmarx’s GitHub Actions workflows and OpenVSX plugins.
That first incident compromised Checkmarx’s KICS and AST GitHub Actions, as well as two Visual Studio Code extensions, exposing infrastructure secrets from any CI/CD runner that pulled the malicious versions during a roughly 13-hour window.
The April attack went further, swapping the Docker image digests behind existing KICS tags so that developers pulling what they believed was an already-trusted version received a malicious binary instead.
Organisations that installed @bitwarden/cli@2026.4.0 should treat the incident as a confirmed credential exposure event.
Immediate steps include removing the affected package from all developer systems and build environments, rotating GitHub tokens, npm tokens, cloud credentials, SSH keys, and CI/CD secrets, and reviewing GitHub for unexpected workflow files under .github/workflows/ or new public repositories matching the Dune-themed staging pattern..
The malicious npm package has been deprecated and is no longer available for download.
