Bitwarden CLI npm package compromised to steal developer credentials

At a glance:

• Bitwarden CLI npm package version 2026.4.0 was compromised between 5:57 PM and 7:30 PM ET on April 22, 2026.
• Attackers injected credential-stealing malware via a compromised GitHub Action, collecting secrets and exfiltrating data through GitHub repositories.
• Bitwarden revoked access and deprecated the package; users must rotate credentials, especially for CI/CD and cloud services.

The compromised package

A malicious version of the Bitwarden CLI npm package was uploaded to npm, containing a credential-stealing payload capable of spreading to other projects. According to reports from Socket, JFrog, and OX Security, the compromised package was distributed as version 2026.4.0 and remained available for approximately 93 minutes between 5:57 PM and 7:30 PM ET on April 22, 2026, before being removed. Bitwarden confirmed the breach affected only its npm distribution channel for the CLI package, with no evidence of end user vault data access or production system compromise.

Bitwarden's response

Bitwarden revoked compromised access immediately upon detection and deprecated the affected CLI npm release. The company emphasized that the breach was isolated to the npm distribution mechanism during the limited window, with no impact on the legitimate Bitwarden CLI codebase or stored vault data. "Once the issue was detected, compromised access was revoked, the malicious npm release was deprecated, and remediation steps were initiated immediately," Bitwarden stated, highlighting the swift containment of the incident.

Technical execution of the attack

Threat actors exploited a compromised GitHub Action in Bitwarden's CI/CD pipeline to inject malicious code into the CLI npm package. According to JFrog, the modified package included a preinstall script and CLI entry point using a custom loader named bw_setup.js, which checks for the Bun runtime. If Bun isn't present, the loader downloads it and uses it to launch an obfuscated JavaScript file named bw1.js, acting as credential-stealing malware. This malware collects npm tokens, GitHub authentication tokens, SSH keys, and cloud credentials for AWS, Azure, and Google Cloud.

Data exfiltration and propagation

The stolen data is encrypted using AES-256-GCM and exfiltrated by creating public GitHub repositories under the victim's account, where the encrypted data is stored. OX Security noted these repositories contain the string "Shai-Hulud: The Third Coming," referencing similar npm supply chain attacks. The malware also features self-propagation capabilities, using stolen npm credentials to identify packages the victim can modify and inject them with malicious code. Socket observed the payload specifically targets CI/CD environments to harvest reusable secrets for expanding attacks.

Connection to the Checkmarx incident

Bitwarden confirmed the incident was linked to the Checkmarx supply chain attack disclosed the previous day. A compromised Checkmarx-related development tool enabled abuse of the npm delivery path for the CLI during a limited time window. Socket reported overlapping indicators between both breaches, including the same audit.checkmarx[.]cx/v1/telemetry endpoint, identical __decodeScrambled obfuscation routine with seed 0x3039, and similar credential theft patterns. Both campaigns have been attributed to the threat actor TeamPCP, previously involved in Trivy and LiteLLM supply chain attacks.

Developer recommendations

Developers who installed the affected version should treat their systems and credentials as compromised and rotate all exposed credentials, particularly those used for CI/CD pipelines, cloud storage, and developer environments. The self-propagation nature of the malware increases the risk of lateral movement, making immediate credential rotation critical. Organizations should also audit their CI/CD pipelines for unauthorized GitHub Actions and monitor for unusual repository creation activity.

Evolving threat landscape

This incident underscores the growing sophistication of supply chain attacks targeting developer ecosystems. TeamPCP's consistent use of similar exfiltration tactics across Bitwarden, Checkmarx, Trivy, and LiteLLM attacks indicates a repeatable pattern for compromising software distribution channels. Security experts anticipate continued targeting of npm registries and CI/CD systems, emphasizing the need for enhanced package signing, runtime integrity checks, and automated threat detection in developer workflows.