Bitwarden’s CLI npm package (@bitwarden/[email protected]) was briefly distributed with a malicious file (bw1.js) that used a preinstall hook to steal developer, CI, GitHub and cloud secrets and exfiltrate them to audit.checkmarx[.]cx and fallback GitHub repositories. The compromise is tied to the broader Checkmarx supply chain campaign—likely linked to TeamPCP and the “Shai-Hulud” activity—and Bitwarden says no end-user vault data was accessed during the limited window. #BitwardenCLI #Checkmarx #TeamPCP #ShaiHulud #audit.checkmarx.cx
Keypoints
- The malicious package version is @bitwarden/[email protected] and included a trojanized file named “bw1.js”.
- The attack used a preinstall hook to execute a credential stealer that targets local files, CI environments, GitHub tokens, and cloud secrets.
- Stolen data is encrypted with AES-256-GCM and exfiltrated to audit.checkmarx[.]cx and to public GitHub repositories as a fallback.
- Compromised GitHub tokens were weaponized to inject malicious GitHub Actions workflows, enabling persistent CI/CD pipeline access and downstream package publishing.
- Security firms link the incident to the Checkmarx campaign (potentially TeamPCP and “Shai-Hulud”); Bitwarden contained the release quickly and reported no end-user vault access, with a CVE issued for the affected CLI version.
Read More: https://thehackernews.com/2026/04/bitwarden-cli-compromised-in-ongoing.html