Back

Bitwarden CLI Compromised in Supply Chain Attack via npm

Severity: High (Score: 74.0)

Sources: Gbhackers, research.jfrog.com, Itnews.Au, Csoonline, Securityaffairs.Co

Summary

A malicious version of the Bitwarden CLI password manager was distributed via npm, affecting version 2026.4.0 for a brief window on April 22, 2026. The attack exploited a compromised GitHub Action in Bitwarden's CI/CD pipeline, allowing attackers to inject a credential-stealing payload named bw1.js. This malware targeted sensitive developer credentials, including GitHub tokens, AWS and Azure credentials, and SSH keys. Bitwarden confirmed that no end-user vault data was accessed, and production systems remained secure. The malicious package was available for 93 minutes before being removed, and affected users are advised to uninstall the compromised version and rotate their credentials. This incident is linked to a broader supply chain attack involving Checkmarx, which has been under scrutiny for multiple security breaches. The attack highlights the risks associated with CI/CD environments and the potential for widespread credential theft. Key Points: • The Bitwarden CLI version 2026.4.0 was compromised for 93 minutes on April 22, 2026. • Malware injected via a compromised GitHub Action targeted sensitive developer credentials. • No end-user vault data was compromised, but affected users must rotate their credentials.

Key Entities

  • TeamPCP (apt_group)
  • Malware (attack_type)
  • Supply Chain Attack (attack_type)
  • Trojan (attack_type)
  • Checkmarx Supply Chain Attack (campaign)
  • Checkmarx Supply Chain Campaign (campaign)
  • Keeping Infrastructure As Code Secure (kics) Attack (campaign)
  • LiteLLM Supply Chain Attacks (campaign)
  • Trivy Supply Chain Attacks (campaign)
  • Bitwarden (tool)
  • Bun (tool)
  • Docker (tool)
  • GitHub Actions (tool)
  • Google Cloud (tool)
  • Checkmarx (company)
  • AWS (company)
  • Azure (company)
  • OpenVSX (company)
  • audit.checkmarx.cx (domain)
  • socket.dev (domain)
  • 94.154.172.43 (ipv4)
  • T1003 - OS Credential Dumping (mitre_attack)
  • T1027 - Obfuscated Files Or Information (mitre_attack)
  • T1041 - Exfiltration Over C2 Channel (mitre_attack)
  • T1059.007 - JavaScript (mitre_attack)
  • T1059 - Command and Scripting Interpreter (mitre_attack)
  • Bitwarden CLI (platform)
  • GitHub (platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed