If you installed Bitwarden's command-line password manager this month, your developer credentials — including cloud keys, SSH material, and GitHub tokens — may already be in an attacker's hands.
Security researchers at Socket and JFrog have confirmed that @bitwarden/cli version 2026.4.0, published to npm, was backdoored as part of the same sprawling Checkmarx supply chain campaign that previously poisoned official KICS Docker images and VS Code extensions.
Bitwarden has since confirmed the incident, stating the malicious package was live on npm between 5:57 PM and 7:30 PM ET on April 22, 2026 — a roughly 90-minute window. The company says it found no evidence that end-user vault data was accessed or that production systems were compromised, and a CVE is being issued for the affected version.
The attack vector was a compromised GitHub Action inside Bitwarden's own CI/CD pipeline (the automated system that builds and publishes software), meaning the malicious package carried Bitwarden's legitimate branding and repository metadata without raising obvious red flags.
The tampered package swapped out the legitimate CLI binary entry point for a custom loader, bw_setup.js, which silently runs on installation via a preinstall npm script hook — before most users would notice anything was wrong.
That loader then downloads the Bun JavaScript runtime from GitHub if it isn't already present — a deliberate evasion trick to avoid raising suspicion — before executing a heavily obfuscated payload stored in bw1.js.
Once deobfuscated, the payload reveals one of the most aggressive credential-stealing frameworks seen in an npm supply-chain attack. It runs three collectors in parallel: a filesystem sweep targeting SSH keys, .git-credentials, .npmrc, .env, shell history, AWS credentials, GCP secret stores, and Azure Key Vault material; a shell collector that explicitly runs gh auth token to harvest GitHub CLI credentials and scans the process environment for token patterns; and a GitHub Actions runner collector that harvests CI secrets from automated build environments.
What makes this attack stand out is how it weaponizes stolen GitHub tokens rather than just collecting them. The malware validates tokens, enumerates repositories, creates new branches, commits malicious workflow files, waits for the Actions pipeline to execute, then silently deletes the evidence.
It also explicitly targets AI coding assistant configuration files, including ~/.claude.json and ~/.kiro/settings/mcp.json — a clear signal that attackers are increasingly interested in environments where AI tools may expose API keys or workflow automation secrets.
Stolen data is encrypted using hybrid AES-256-GCM and RSA encryption before being exfiltrated to audit[.]checkmarx[.]cx — a domain masquerading as legitimate Checkmarx infrastructure. If that path is blocked, the malware falls back to GitHub itself, staging encrypted result blobs inside repositories created under the victim's own account.
If you installed @bitwarden/cli 2026.4.0, act immediately:
- Run
npm uninstall -g @bitwarden/cliandnpm cache clean --force - Rotate all GitHub PATs, npm tokens, AWS access keys, GCP and Azure secrets present on that machine
- Audit GitHub Actions workflows and repository artifacts for unauthorized runs or branches
- Block
audit.checkmarx.cxand94.154.172.43at your network perimeter - Review shell history and any AI tooling configuration files for sensitive data exposure