Socket and other researchers have confirmed that the Bitwarden CLI package published to npm — @bitwarden/cli version 2026.4.0 — was compromised in a supply chain attack that abused a GitHub Action in Bitwarden’s CI/CD pipeline. The malicious release injected a file named bw1.js into the package, exposing tokens, cloud credentials, SSH keys and other sensitive artifacts. While Bitwarden’s Chrome extension, MCP server and other official distribution channels are reported unaffected, the scope of the CLI compromise is significant given Bitwarden CLI’s wide usage across developers and enterprises.
What happened
Socket’s analysis ties this incident to the broader campaign that has been targeting software supply chains via compromised GitHub Actions. In this case, the attackers inserted a malicious payload into the npm CLI package during the build/publish process. The injected payload is modular and multi-stage, designed to harvest a wide range of credentials and to propagate itself by abusing stolen npm and GitHub tokens.
How the attack worked
The bw1.js payload leverages several techniques to maximize access and persistence:
- Memory scraping of Runner.Worker processes to steal GitHub tokens used in CI.
- Harvesting of cloud credentials (AWS from ~/.aws/, Azure via azd, GCP via gcloud).
- Extraction of local developer tokens (npm .npmrc tokens), SSH keys, and configuration files relating to Claude/MCP.
- Exfiltration by creating public GitHub repositories under victim accounts (using a consistent Dune-themed naming convention) and embedding encrypted results and tokens in commits and commit messages.
- Supply chain propagation by using stolen npm tokens to republish packages with preinstall hooks and by injecting workflows into GitHub repositories to capture additional secrets.
- Shell persistence via modifications to ~/.bashrc and ~/.zshrc.
- A locale-based kill switch that silently exits if the system locale begins with “ru”, and a Bun v1.3.13 runtime dependency pulled from GitHub releases.
Researchers note the bw1.js payload shares core infrastructure with previously analyzed artifacts (for example, an identical C2 endpoint and similar obfuscation primitives), suggesting shared tooling or infrastructure with the Checkmarx-linked campaign — though differences in ideological messaging and repository descriptions indicate the possibility of a different operator or a splinter group.
Indicators of Compromise (IOC Summary)
| Indicator | Details |
|---|---|
| Malicious Package | @bitwarden/cli 2026.4.0 |
| Malicious File | bw1.js |
| C2 Endpoint | audit.checkmarx[.]cx/v1/telemetry |
| Lock File | /tmp/tmp.987654321.lock |
| Staging Repo Pattern | {word}-{word}-{3digits} |
Immediate steps for affected organizations
If your environment consumed @bitwarden/cli 2026.4.0, treat the exposure as a full compromise and act quickly:
- Remove the affected package from all developer machines, build nodes, and CI/CD runners.
- Rotate all potentially exposed credentials immediately: GitHub tokens, npm tokens, cloud credentials (AWS/Azure/GCP), SSH keys, service account keys and any CI/CD secrets.
- Audit your GitHub organizations and user accounts for unauthorized repository creation, unexpected .github/workflows files, and repositories matching the observed Dune-themed naming pattern.
- Search build and runner logs for unusual Bun runtime executions, outbound connections to audit.checkmarx[.]cx, and evidence of payload execution.
- Hunt for persistence artifacts such as the /tmp/tmp.987654321.lock lock file and unauthorized changes to shell profiles.
- Revoke and reissue tokens with strict least-privilege scopes and prefer short-lived credentials wherever possible.
Long-term mitigations
- Lock down publish permissions on npm and enforce multi-person review for package publishes.
- Harden GitHub Actions by minimizing runner permissions, using reusable workflows, and applying least-privilege PATs and OIDC where possible.
- Implement ephemeral credentials and short-lived tokens for CI systems; avoid storing long-lived secrets in runners.
- Monitor for anomalous repository creations from internal accounts and establish automated checks for unexpected workflow file changes.
- Scope npm tokens narrowly (publish-only where feasible) and segregate build systems from development environments.
- Maintain a robust incident response playbook that includes supply chain scenarios and the ability to rapidly rotate credentials and rebuild artifacts from trusted sources.
What this means for the ecosystem
This incident highlights the enduring risk of supply chain attacks and the appeal of CI/CD runners and GitHub Actions as attack vectors. Even well-known, widely used packages can be compromised if build and publish workflows are insufficiently protected. The reuse of tooling and infrastructure across campaigns underscores how attackers can scale their operations: once a reliable exfiltration and propagation mechanism is built, it can be applied to multiple targets. Organizations should assume that any package consumed in privileged contexts could be weaponized and take a zero-trust approach to the software supply chain.
Conclusion
The compromise of @bitwarden/cli 2026.4.0 is a serious supply chain incident with real exposure risk to tokens, cloud credentials and developer secrets. Immediate remediation, comprehensive credential rotation, and tighter CI/CD hygiene are essential. The broader lesson is clear: securing build pipelines, restricting publish rights, and minimizing secret exposure in automation are critical defenses against increasingly sophisticated supply chain campaigns.
Licensed under CC BY-ND 4.0 International
Comment and Control: How GitHub Comments Became a New Prompt-Injection Threat
A new class of prompt-injection attacks—dubbed "Comment and Control"—turns GitHub pull requests,…
Introducing the Azure Skills Plugin: Practical Azure Workflows for Coding Agents
The Azure Skills Plugin brings curated Azure expertise and an execution layer…
Cognizant’s TriZetto Subsidiary Reports Data Breach Affecting 3.4 Million Patients
TriZetto Provider Solutions, a healthcare-technology subsidiary of Cognizant, has disclosed a large…
When a Jailbreak Became a Campaign: How Claude AI Was Abused to Build Exploits and Steal Data
In late 2025 a persistent attacker turned a conversational AI into a…