What Happened
The Bitwarden security team identified and contained a malicious package that was briefly distributed through the npm delivery path for @bitwarden/cli@2026.4.0 between 5:57 PM and 7:30 PM ET on April 22, 2026 — a roughly 90-minute window.
Socket researchers discovered the compromise as part of the ongoing Checkmarx supply chain campaign. The malicious code was published in a file named bw1.js, included in the package contents. The attack leveraged a compromised GitHub Action inside Bitwarden’s CI/CD pipeline, consistent with the pattern seen across other affected repositories in this campaign.
Attack Mechanics
The payload runs three collectors in parallel: a filesystem sweep targeting SSH keys, .git-credentials, .npmrc, .env, shell history, AWS credentials, GCP secret stores, and Azure Key Vault material; a shell collector that explicitly runs gh auth token to harvest GitHub CLI credentials and scans the process environment for token patterns; and a GitHub Actions runner collector that harvests CI secrets from automated build environments.
The malware demonstrated worm-like behavior — using stolen GitHub tokens to automatically inject malicious GitHub Actions workflows into accessible repositories, serializing secrets into artifacts for later retrieval. The operation also included mechanisms to republish compromised npm packages, enabling further propagation across the supply chain.
The malicious code executed via a preinstall hook — meaning it ran the moment the package was installed, before any user interaction.
Shai-Hulud Connection
The attack is attributed to the Shai-Hulud worm — described as “The Third Coming” — embedded in the @bitwarden/cli npm package with approximately 250,000 monthly downloads. The worm extracts keys, credentials, and cloud configurations, then uploads them encrypted to public GitHub repositories.
Scale of Exposure
Bitwarden CLI is used by over 10 million users and 50,000+ businesses, making it one of the highest-impact targets in this campaign to date. Only the npm CLI package was affected — Bitwarden’s Chrome extension, MCP server, and other official distribution channels remain uncompromised.
TeamPCP Campaign Link
TeamPCP has chained similar attacks against Trivy, Checkmarx, and LiteLLM since March 2026, targeting developer tools that sit deep in build pipelines. The Bitwarden CLI hit is the highest-profile victim yet, given the tool’s prevalence in CI/CD secrets injection workflows.
First-of-Its-Kind npm Trusted Publishing Compromise
Security researcher Adnan Khan noted this is the first known compromise of a package using npm’s trusted publishing mechanism — a feature specifically designed to eliminate long-lived tokens from the supply chain. That’s a significant escalation: attackers have now bypassed the security control that was supposed to make this attack vector obsolete.
Bitwarden’s Containment & CVE
Bitwarden confirmed no end-user vault data was accessed and no production systems were compromised. Compromised access was revoked and the malicious npm release was pulled. A CVE is being issued for Bitwarden CLI version 2026.4.0 in connection with this incident.
Remediation
Socket recommends that anyone who installed @bitwarden/cli version 2026.4.0 rotate every exposed secret immediately. Users should downgrade to version 2026.3.0 or switch to official signed binaries from Bitwarden’s website.
Specific rotation priority:
- GitHub tokens and npm tokens
- SSH keys
- AWS, GCP, Azure credentials
.envvariables- Shell history review for credential exposure
TheCyberThrone Angle
This is the apex event in the Checkmarx/TeamPCP campaign arc — a password manager’s own CLI weaponized against the developers who trust it most. The worm-propagation mechanism (stealing tokens → injecting malicious GitHub Actions → republishing packages) makes this self-amplifying. The npm trusted publishing bypass is the technical headline that sets this apart from prior campaign entries.
