Bitwarden CLI Compromised in Ongoing Checkmarx Supply Chain Campaign
Summary
The Bitwarden CLI package @bitwarden/cli@2026.4.0 was compromised as part of the Checkmarx supply chain campaign, leading to the distribution of a malicious npm package. The attack leveraged a compromised GitHub Action to inject credential-stealing code into the Bitwarden CI/CD pipeline, targeting developer environments and CI/CD secrets.
Key Points
- Affected Version:
@bitwarden/cli@2026.4.0(malicious code located inbw1.js). - Attack Vector: Compromise of the
checkmarx/ast-github-actionused in Bitwarden's GitHub Actions pipeline. - Execution Method: The malware is triggered via an npm
preinstallhook. - Capabilities: The payload acts as a multi-cloud credential harvester, targeting GitHub/npm tokens,
.sshkeys,.envfiles, shell history, and cloud secrets. - AI Tool Targeting: Specifically targets configurations for AI coding assistants, including Claude, Kiro, Cursor, Codex CLI, and Aider.
- Exfiltration Mechanism: Data is encrypted with AES-256-GCM and sent to
audit.checkmarx[.]cx, with GitHub commits used as a fallback C2 channel. - Self-Propagation: Includes a self-propagating npm worm designed to re-infect any packages that the victim's stolen tokens have permission to publish.
- Remediation Version:
@bitwarden/cli@2026.4.1(a re-release of version 2026.3.0).
Technical Details
The compromise occurred during a specific window on April 22, 2026, between 5:57 PM and 7:30 PM (ET). The malicious payload is engineered to extract credentials from the environments where developers and pipelines operate. If the malware successfully harvests GitHub tokens, it attempts to weaponize them by injecting malicious GitHub Actions workflows into reachable repositories, allowing for persistent extraction of CI/CD secrets.
The malware's exfiltration architecture utilizes authenticated encryption (AES-256-GCM) to protect stolen data during transit to the impersonated Checkmarx domain. To evade detection, the threat actor uses a "dead-drop" C2 method, exfiltrating data to public GitHub repositories created under victim accounts using a Dune-themed naming convention (format: <word>-<word>-<3 digits>). The payload also features a module for shell RC persistence and includes logic to terminate execution if the system locale is identified as Russia.
Impact / Why It Matters
A single developer installing the compromised package can serve as an entry point for a broader supply chain attack, potentially granting attackers persistent access to every CI/CD pipeline reachable by the developer's stolen tokens. All developers who installed version 2026.4.0 must rotate all exposed secrets, review GitHub activity for unauthorized workflow changes, and ensure they have upgraded to version 2026.4.1.