Bitwarden CLI npm Package Compromised to Steal Credentials

The Bitwarden CLI npm package was compromised on April 22, 2026, giving attackers a 90-minute window to distribute malware that harvested developer credentials at scale. If you installed @bitwarden/cli version 2026.4.0 between 5:57 PM and 7:30 PM ET that day, your system and everything it authenticated with should be considered compromised.

Bitwarden confirmed the breach was isolated to its npm distribution channel. No vault data was exposed. But the malicious build that slipped through can silently drain your SSH keys, cloud credentials, and CI/CD tokens before you notice anything is wrong.

How Attackers Got Into the Bitwarden CLI Build Pipeline

The entry point was a compromised GitHub Action inside Bitwarden's CI/CD pipeline. Researchers at Socket, JFrog, and OX Security each published independent analyses pointing to the same injection point. The malicious version modified the package's preinstall script and CLI entry point to load a custom file called bw_setup.js.

That loader checks for the Bun JavaScript runtime. If Bun is not present, it downloads it. Then it uses Bun to execute an obfuscated file called bw1.js, which is the actual credential-stealing payload.

Bitwarden confirmed the attack is linked to the separate Checkmarx supply chain breach disclosed the day before. The malicious payload communicates with audit.checkmarx[.]cx/v1/telemetry, the same endpoint seen in the Checkmarx incident. It also uses the same __decodeScrambled obfuscation routine with seed 0x3039. Socket told BleepingComputer the overlap goes well beyond surface-level similarities, including shared embedded gzip+base64 components for credential harvesting.

Both campaigns have been attributed to a threat actor known as TeamPCP, previously linked to supply chain attacks targeting Trivy and LiteLLM packages.

What the Malware Steals and How It Exfiltrates Data

Once bw1.js executes, it collects a broad set of secrets from the infected environment. The target list includes npm authentication tokens, GitHub tokens, SSH private keys, and cloud credentials for AWS, Azure, and Google Cloud.

After collection, the malware encrypts the data using AES-256-GCM and exfiltrates it by creating public GitHub repositories under the victim's own account. The stolen encrypted data gets committed to those repositories. OX Security noted that the created repos contain the string "Shai-Hulud: The Third Coming," a string also used in earlier npm supply chain attacks with similar exfiltration mechanics.

The payload does not stop there. It also self-propagates. Using the stolen npm credentials, the malware identifies packages the victim has publish access to and injects them with the same malicious code. One compromised developer account can seed infections across dozens of downstream projects.

What's Actually at Risk for Developers

The scope here extends far beyond a single tool. Any developer who ran the malicious version inside a CI/CD environment likely exposed every secret that environment could access. That means pipeline credentials, deployment keys, and any cloud service token accessible from the build runner are all suspect.

Self-propagation makes this worse. If the malware found npm publish rights on your account, other packages you maintain may now carry the same payload. Anyone who depends on those packages is part of the blast radius too. Check our blog on npm supply chain risks for a broader breakdown of how these cascading compromises unfold.

Steps to Take Right Now

Rotate everything immediately if you installed the affected version. Do not wait to confirm exfiltration before acting.

• Revoke and regenerate your npm auth token.
• Rotate GitHub personal access tokens and any OAuth app credentials.
• Audit your GitHub account for repositories you did not create.
• Rotate AWS, Azure, and Google Cloud credentials used on affected machines.
• Review CI/CD pipeline logs for the affected window and check for unexpected job executions.
• Run a full automated scan of your web-facing infrastructure to identify any new exposures that may have been introduced through compromised deployment credentials.

Bitwarden has already revoked the compromised access and deprecated the malicious release. The legitimate codebase and vault infrastructure were not affected.

Q: Which version of the Bitwarden CLI was malicious? Version 2026.4.0 of the @bitwarden/cli npm package, distributed between 5:57 PM and 7:30 PM ET on April 22, 2026. All other versions are unaffected.

Q: If I didn't run the CLI during install, am I still at risk? The malicious code runs during the preinstall phase of npm install. Simply installing the package is enough to trigger the payload. You do not need to have executed the CLI itself.

Q: How do I check if the malware created any GitHub repositories on my account? Log into GitHub and review your repositories list, sorted by creation date. Look for repos created around April 22, 2026 that you do not recognize. Also audit your GitHub audit log under Settings for any unexpected push events.

Scan your infrastructure now for credential exposure and supply chain vulnerabilities at vibewshield.com/scan.