Bitwarden CLI Backdoored in Checkmarx Supply Chain Campaign
Bitwarden CLI Backdoored in Checkmarx Supply Chain Campaign
- Linux Kernel Removes strncpy After Six Years and 362 Patches
- Linux Kernel Drops 40-Year-Old AppleTalk Protocol — AI-Generated Patch Flood Was the Last Straw
- Apple’s Native Linux Container Tool Has Arrived — But Can It Really Replace Docker?
- 60% of MD5 Password Hashes Can Be Cracked in Under an Hour with a Single GPU
- Dirty Frag: Root Access on Every Major Linux Distribution — No Patch, No Warning
Bitwarden CLI Backdoored in Checkmarx Supply Chain Campaign
A malicious version of the widely used Bitwarden command-line interface briefly circulated on the npm registry, capable of silently stealing SSH keys, cloud credentials, and CI/CD secrets — then spreading itself further through victims’ own packages.
The Bitwarden password manager’s command-line tool was compromised on April 22, 2026, when attackers — operating under the banner of a group calling itself “Shai-Hulud” — successfully injected a malicious payload into version 2026.4.0 of the @bitwarden/cli npm package. The rogue release was live for approximately 97 minutes before Bitwarden’s security team detected and contained it, but the damage it could inflict in that window was significant: any developer who installed it potentially handed attackers the keys to their entire cloud and CI/CD infrastructure.
Bitwarden confirmed the incident in a statement on its community forums, emphasizing that no end-user vault data was accessed and that production systems remained intact. The compromise targeted the npm distribution pathway exclusively — the legitimate Bitwarden CLI codebase on GitHub was never altered.
If you installed @bitwarden/cli via npm between 5:57 PM and 7:30 PM ET on April 22, 2026, you should treat your system as compromised. See the remediation steps below.
How the Attack Unfolded
The attack leveraged a compromised GitHub Action — specifically checkmarx/ast-github-action — that had been poisoned as part of a broader, ongoing Checkmarx supply chain campaign. Bitwarden’s CI/CD pipeline depended on this action, and once it was compromised, attackers gained enough access to publish a malicious npm release under Bitwarden’s official package namespace.
Malicious @bitwarden/cli@2026.4.0 published to the npm registry via a weaponized GitHub Actions workflow. No corresponding release appears on Bitwarden’s official GitHub repository.
Bitwarden’s security team detects and contains the incident. Compromised npm access is revoked, the malicious package is deprecated, and remediation begins.
JFrog, Socket Research Team, Aikido Security, and other firms publish independent analyses of the malicious payload. Bitwarden issues a public statement confirming the incident.
A CVE for Bitwarden CLI version 2026.4.0 is in the process of being issued. Bitwarden releases the clean version 2026.4.1 and pledges a comprehensive review of its distribution pipeline.
What the Malware Does
Security researchers from multiple firms independently dissected the malicious payload, finding it to be among the most sophisticated npm supply chain attacks observed to date. The malicious code was embedded in a file named bw1.js, executed automatically via a preinstall hook the moment a developer ran npm install.
A single developer with @bitwarden/cli@2026.4.0 installed can become the entry point for a broader supply chain compromise, with the attacker gaining persistent workflow injection access to every CI/CD pipeline the developer’s token can reach.
— StepSecurity Research Team
Upon execution, the malware harvests an extensive range of sensitive data from the infected machine: GitHub and npm tokens, SSH private keys, .env environment files, shell history, GitHub Actions workflow secrets, and cloud provider credentials (AWS, Azure, GCP). All stolen data is encrypted with AES-256-GCM and exfiltrated to audit.checkmarx[.]cx — a domain crafted to impersonate the legitimate Checkmarx security firm.
What makes this payload particularly dangerous is its self-propagating worm behavior. Aikido Security, which dubbed the campaign “Shai-Hulud: The Third Coming,” found that if GitHub tokens are discovered on the system, the malware weaponizes them to inject malicious GitHub Actions workflows into the victim’s own repositories. It then uses harvested npm credentials to push compromised versions of the victim’s own npm packages — silently spreading the infection to anyone who depends on those packages.
- GitHub personal access tokens and Actions workflow secrets
- npm publish credentials and CI/CD tokens
- AWS access keys, Azure Key Vault secrets, GCP Secret Manager credentials
- SSH private keys (~/.ssh)
- Environment variable files (.env, .npmrc, .git-credentials)
- Shell history files (~/.bashrc, ~/.zshrc)
- AI coding tool configurations and API keys
- Crypto wallet keys and related secrets
The Broader Checkmarx Campaign
The Bitwarden incident is not isolated. It is part of a widening campaign linked to the compromise of Checkmarx’s own open-source tooling. Earlier in April 2026, researchers discovered that Docker images and VS Code extensions for Checkmarx KICS — an infrastructure-as-code vulnerability scanner — had been backdoored. The threat actor abused Dependabot and GitHub Actions mechanisms to propagate the attack across repositories that relied on Checkmarx tooling.
Endor Labs confirmed that Bitwarden’s repository was directly exposed: it used checkmarx/ast-github-action, the GitHub Action that was compromised in the initial Checkmarx breach. The campaign’s payload carries ideological branding — references to “Shai-Hulud,” the sandworms of Frank Herbert’s Dune, and a “Butlerian Jihad” manifesto embedded in commit messages. Researchers at Socket note this ideological posture may indicate a splinter group diverging from the original TeamPCP operators behind the broader campaign.
Remediation: What Affected Users Must Do
Only users who installed @bitwarden/cli via npm during the 97-minute window on April 22 are directly affected. However, given the worm’s self-propagating nature and its ability to inject malicious workflows into repositories, anyone who installed the package should treat all credentials accessible from that machine as compromised and act accordingly.
Remove @bitwarden/cli@2026.4.0 from your system immediately.
npm uninstall -g @bitwarden/cliEnsure no cached traces of the malicious package remain.
npm cache clean --forceJFrog researchers identified two files left behind by the payload. Remove them from your system: bw1.js and bw_setup.js. Also check for the lock file at /tmp/tmp.987654321.lock.
As a precaution during cleanup, prevent future preinstall hooks from executing automatically.
npm config set ignore-scripts trueAssume all secrets accessible on the affected machine were exfiltrated. This includes: GitHub personal access tokens; npm publish tokens and CI/CD credentials; AWS access keys (review SSM and Secrets Manager); Azure Key Vault secrets; GCP Secret Manager credentials; SSH private keys; and any API tokens stored in environment variables or .env files.
Check all repositories accessible by the compromised token for unauthorized workflow files, unexpected branches, or injected Actions steps. Review CI/CD logs for anomalous runs or artifact generation (e.g., format-results.txt). Inspect your npm packages for unauthorized version publishes.
Scan for outbound connections to audit.checkmarx[.]cx. Look for unexpected execution of bun on your system, and check for unauthorized modifications to ~/.bashrc or ~/.zshrc.
Once cleanup is complete and credentials have been rotated, install the official patched release.
npm install -g @bitwarden/cli@2026.4.1Bitwarden’s Response
Bitwarden has stated that a comprehensive review of its internal environments, release paths, and related systems found no additional impacted products or environments. A CVE for version 2026.4.0 is being issued, and the company has pledged to implement mitigation measures to prevent similar attacks in the future.
The incident underscores a systemic vulnerability in the modern open-source development ecosystem: any project that depends on a third-party GitHub Action in its CI/CD pipeline inherits that action’s risk surface. A single compromised upstream dependency can cascade into a full credential compromise across an organization’s entire infrastructure.
The investigation found no evidence that end-user vault data was accessed or at risk, or that production data or production systems were compromised.
— Bitwarden Official Statement, April 23, 2026
For organizations that rely on the Bitwarden CLI in developer toolchains or automated pipelines, security teams are advised to treat this as a full credential-exposure incident regardless of whether direct evidence of exfiltration is found. The goal of the Shai-Hulud campaign, as assessed by multiple researchers, is to harvest credentials that enable further supply chain attacks — meaning the downstream impact of a single infected machine may extend far beyond the initial victim.
Additional technical analysis available from: JFrog Security, Socket Research Team, Aikido Security (aikido.dev), Endor Labs, StepSecurity, GitGuardian, and the Bitwarden Community Forums.
