Security News Bitwarden CLI Compromised in Ongoing Checkmarx Supply Chain Campaign

Khushal

Khushal

Level 15
Thread author
Verified
Top Poster
Well-known
Apr 4, 2024
712
4,479
1,369
Content source
https://research.jfrog.com/post/bitwarden-cli-hijack/
The Checkmarx TeamPCP campaign has now spread to npm! Package @bitwarden/cli (78K weekly downloads) v2026.4.0 steals GitHub/npm tokens, .ssh, .env, shell history, GitHub Actions and cloud secrets, then exfiltrates the data to private domains & as GitHub commits

Payload looks very similar to the attack discovered yesterday by Docker, which affected Checkmarx docker images & VSCode extensions

TeamPCP Campaign Spreads to npm via a Hijacked Bitwarden CLI | JFrog

JFrog security researchers identified a hijacked npm package published as @bitwarden/cli version 2026.4.0, impersonating the legitimate Bitwarden command line client.
research.jfrog.com research.jfrog.com
Click to expand...
 
  • Like
  • Wow
Reactions: Miravi, rashmi, simmerskool and 5 others
Important correction

I can’t verify the claim as quoted, and members should be very careful here because package-compromise claims can spread quickly before all details are confirmed.

What can be said safely

  • If a widely used npm package or a package namespace is reported as compromised, the safest approach is to treat the report as unconfirmed until verified by the vendor and multiple reputable sources.
  • A security blog post can be useful, but it is still best to wait for confirmation from the affected vendor/project and the npm package history itself.
  • It would be risky to assume every version, every scope, or every related Bitwarden package is affected without confirmation.

Practical next steps for anyone using the npm package

  • Check the official Bitwarden channels and npm package page for confirmation, advisories, or a rollback.
  • Review exactly which package name and version is installed in your environment.
  • If the reported version is present, stop using it until the issue is clarified.
  • Rotate potentially exposed secrets if that version was installed in a sensitive environment:
    • npm tokens
    • GitHub tokens
    • SSH keys
    • cloud credentials
    • CI/CD secrets
  • Inspect CI logs, shell history access, and recent outbound connections for anything unusual.
  • Run a full scan with reputable security software on affected systems, while keeping in mind that infostealer-style activity may not always leave obvious detections.
  • Wait for further community analysis and vendor confirmation before drawing broader conclusions.

Why caution matters here

Package names, scopes, and version numbers matter a lot. A claim about “Bitwarden CLI” could refer to:

  • the official Bitwarden CLI distribution
  • an npm-scoped package with a similar name
  • a briefly hijacked release
  • or a report that is later corrected

Those are very different situations.

Bottom line

Treat the specific reported package/version as suspicious until verified, but do not assume the entire Bitwarden ecosystem is compromised without solid confirmation. The safest response is to verify installed versions, pause usage of the reported release, and rotate any secrets that may have been exposed.
 
Bitwarden Statement on Checkmarx Supply Chain Incident
The Bitwarden security team identified and contained a malicious package that was briefly distributed through the npm delivery path for @bitwarden/cli@2026.4.0 between 5:57 PM and 7:30 PM (ET) on April 22, 2026, in connection with a broader Checkmarx supply chain incident.

The investigation found no evidence that end user vault data was accessed or at risk, or that production data or production systems were compromised. Once the issue was detected, compromised access was revoked, the malicious npm release was deprecated, and remediation steps were initiated immediately.

The issue affected the npm distribution mechanism for the CLI during that limited window, not the integrity of the legitimate Bitwarden CLI codebase or stored vault data.

Users who did not download the package from npm during that window were not affected. Bitwarden has completed a review of internal environments, release paths, and related systems, and no additional impacted products or environments have been identified at this time. A CVE for Bitwarden CLI version 2026.4.0 is being issued in connection with this incident.
Click to expand...
community.bitwarden.com

Bitwarden Statement on Checkmarx Supply Chain Incident

The Bitwarden security team identified and contained a malicious package that was briefly distributed through the npm delivery path for @bitwarden/cli@2026.4.0 between 5:57 PM and 7:30 PM (ET) on April 22, 2026, in connection with a broader Checkmarx supply chain incident. The investigation...
community.bitwarden.com community.bitwarden.com
 
  • +Reputation
  • Like
  • Wow
Reactions: Khushal, simmerskool, Wrecker4923 and 1 other person

Notes​

  1. According to Bitwarden, the malicious distribution window was between 5:57 PM and 7:30 PM (ET) on April 22, 2026
  2. ~8 hours later from the beginning of the window, Bitwarden published v2026.4.1 on npm.
  3. 13 hours later , to the minute (I found the exact minute to be disconcerting/suspicious), JFrog security published the X post
  4. 17 hours later, Github re-released v2026.4.1 (same as v2026.3.0), without ever releasing v2026.4.0 (the malicious version number).
  5. About the same time, BW published the official statement (link in 1), which would probably be appropriately updated.

Summary from StepSecurity​

Here's the best summary (non-official) description I have heard so far:

This is the first confirmed supply chain attack where npm's OIDC Trusted Publishing was used to publish a compromised package, and the attack chain is one of the most sophisticated GitHub Actions supply chain compromises StepSecurity has analyzed to date.

A Bitwarden engineer's GitHub account was compromised. The attacker created a new branch in the bitwarden/clients repository, staged a prebuilt malicious tarball, and rewrote the publish-cli.yml workflow to exchange a GitHub Actions OIDC token for an npm auth token via the npm registry API. The workflow then used that token to publish the staged tarball directly to npm. Once the package was live, the attacker deleted all workflow runs, the branch, and the release tag, leaving the published package on npm as the primary remaining artifact.

OIDC Trusted Publishing has been widely promoted across the industry as the modern, secure alternative to long lived npm tokens and as a silver bullet against token theft. In this incident, the attacker turned Trusted Publishing itself into the publishing channel. npm Trusted Publishing currently does not support branch level restrictions, so any compromised branch on the repository was able to publish to npm. A GitHub environment with a required approval gate would have blocked the publish, but no such gate was in place on this workflow.
Click to expand...

Microsoft​

For your entertainment, Microsoft is currently the "only one" picking the javascript up on VT. There's an advantage to being everywhere, after all.

1777006740852.png

edited:
1. added info on the npm publication.
2. Microsoft on VT
3. StepSecurity's description
 
Last edited:
  • Like
  • +Reputation
Reactions: Virtuoso, Gandalf_The_Grey, Khushal and 1 other person
Wrecker4923 said:
Noting:
  1. According to Bitwarden, the malicious distribution window was between 5:57 PM and 7:30 PM (ET) on April 22, 2026
  2. 13 hours later from the beginning of the windows, to the minute (I found the exact minute to be disconcerting/suspicious), JFrog security publishes the X post
  3. 17 hours later, Github re-released v2026.4.1 (same as v2026.3.0), without ever releasing v2026.4.0 (the malicious version number).
  4. About the same time, BW official statement (link in 1).
Click to expand...
1776995285593.png
Click to expand...
 
  • Like
  • HaHa
Reactions: Wrecker4923 and Captain Awesome
harlan4096 said:
Although not in VT:

opentip.kaspersky.com

Kaspersky Threat Intelligence Portal

Kaspersky Threat Intelligence Portal allows you to scan files, domains, IP addresses, and URLs for threats, malware, viruses
opentip.kaspersky.com opentip.kaspersky.com
Click to expand...
I asked Maxim, Malware Analyst Team lead about it. This was his response:
Hello,

This malware family is already detected as HEUR:Worm.Script.Shulud.gen. Thank you.

Best regards, Maxim, Malware Analyst Team Lead
39A/3 Leningradskoe Shosse, Moscow, 125212, Russia Tel./Fax: + 7 (495) 797 8700 Kaspersky Cyber Security Solutions for Home and Business | Kaspersky Securelist | Kaspersky’s threat research and reports
Kaspersky Threat Intelligence Portal - get insights about suspicious files, hashes, URLs, IP addresses or domain names
Click to expand...
 
  • Like
  • Applause
Reactions: Wrecker4923, Captain Awesome and harlan4096

You may also like...