Bitwarden CLI Compromised in Supply Chain Attack via GitHub Actions

Home Cyber Attack News Bitwarden CLI Compromised in Supply Chain Attack via GitHub Actions Socket has confirmed that Bitwarden CLI version 2026.4.0 was compromised as part of the ongoing Checkmarx supply chain campaign, exposing millions of users and thousands of enterprises to credential theft and CI/CD pipeline infiltration. The attack targeted @bitwarden/cli 2026.4.0 on npm, injecting a malicious file named bw1.js into the package contents. Bitwarden CLI is used by over 10 million users and 50,000+ businesses, making it one of the highest-impact targets in the campaign to date. Notably, only the npm CLI package was affected. Bitwarden’s Chrome extension, MCP server, and other official distribution channels remain uncompromised. Attackers exploited a compromised GitHub Action within Bitwarden’s CI/CD pipeline, the same supply chain vector identified in the broader Checkmarx campaign documented by Socket researchers. The malicious bw1.js payload shares core infrastructure with the previously analyzed mcpAddon.js, including an identical C2 endpoint (audit.checkmarx[.]cx/v1/telemetry) obfuscated via __decodeScrambled with seed 0x3039. The payload employed a sophisticated multi-stage architecture: Credential harvesting targeting GitHub tokens via Runner.Worker memory scraping, AWS credentials from ~/.aws/, Azure tokens via azd, GCP credentials via gcloud, npm tokens from .npmrc, SSH keys, and Claude/MCP configuration files GitHub exfiltration by creating public repositories under victim accounts using Dune-themed naming conventions ({word}-{word}-{3digits}), with encrypted results committed and tokens embedded in commit messages Supply chain propagation through npm token theft to identify writable packages and republish them with injected preinstall hooks, alongside GitHub Actions workflow injection to capture repository secrets Shell persistence by injecting payloads into ~/.bashrc and ~/.zshrc Russian locale kill switch that exits silently if the system locale begins with “ru” The payload runs on Bun v1.3.13, downloaded directly from GitHub releases. While the shared tooling links this attack to the Checkmarx malware ecosystem, several indicators suggest a different — or evolved — operator. The malicious payload carries explicit ideological branding: repository descriptions reference “Shai-Hulud: The Third Coming,” debug strings invoke “Butlerian Jihad,” and commit messages proclaim resistance against machines. This contrasts sharply with the earlier Checkmarx campaign, which used deceptive but neutral-looking descriptions. Socket researchers note this could indicate a splinter group, a different operator sharing infrastructure, or a deliberate shift in the campaign’s posture. Organizations that installed the compromised package should treat this as a full credential exposure event. Immediate steps include: Remove the affected package from all developer systems and build environments Rotate all potentially exposed credentials — GitHub tokens, npm tokens, cloud credentials, SSH keys, and CI/CD secrets Audit GitHub for unauthorized repository creation, unexpected workflow files under .github/workflows/, and Dune-themed staging repositories Hunt for the persistence lock file at /tmp/tmp.987654321.lock and unauthorized modifications to shell profiles Monitor for outbound connections to audit.checkmarx[.]cx and unusual Bun runtime execution Long-term hardening should include locking down token scopes, enforcing short-lived credentials, restricting package publish permissions, and hardening GitHub Actions with least-privilege configurations. IOC Summary Indicator Details Malicious Package @bitwarden/cli 2026.4.0 Malicious File bw1.js C2 Endpoint audit.checkmarx[.]cx/v1/telemetry Lock File /tmp/tmp.987654321.lock Staging Repo Pattern {word}-{word}-{3digits} Socket’s security research team continues to investigate the full scope of the campaign. Organizations are urged to treat any exposure to this package version as a confirmed incident until further analysis is complete. Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories. RELATED ARTICLESMORE FROM AUTHOR Cyber Security News Hackers Abuse Fake Wallpaper App and YouTube Channel to Spread notnullOSX Malware Cyber Security News Fake TradingView AI Agent Site is Delivering Needle Stealer Malware via Fake TradingClaw Cyber Security News Hackers Use Outlook Mailboxes to Hide Linux GoGra Backdoor Communications Top 10 Top 10 Best User Access Management Tools in 2026 April 4, 2026 Top 10 Best VPN For Chrome in 2026 April 4, 2026 20 Best Application Performance Monitoring Tools in 2026 April 3, 2026 Top 10 Best VPN For Linux In 2026 April 3, 2026 10 Best VPN For Privacy In 2026 April 2, 2026