bitwarden-cli
Bitwarden CLI Compromise (Shai-Hulud V3)
The official Bitwarden CLI npm package (@bitwarden/cli) version 2026.4.0 was compromised during the broader Checkmarx/TeamPCP supply-chain campaign after attackers abused a GitHub Actions path in Bitwarden's CI/CD pipeline. The malicious package included a bw1.js payload that shared infrastructure with the Checkmarx campaign, harvested GitHub, npm, cloud, SSH, environment, Claude, and MCP credentials, exfiltrated to audit.checkmarx.cx and GitHub commit-based dead drops, and attempted npm/GitHub supply-chain propagation with injected install hooks and workflow files.
- Date
- 2026-04-22 to 2026-04-23
- Category
- Open Source
- Target Surface
- Package registry
- Insertion Phase
- CI/CD
- Impact
- Credential theft
- Cause
- CI/CD Exploit
What Was Affected
Package
bitwarden-cli
LanguageJavaScript
ComponentApplication
Artifact typesource archive
Domain typepackage host
Domain
npmjs.com
Repository
github.com/bitwarden/clients
Compromised Versions
Incident Context
- Motive
- Credential Theft
- Attribution
- Advanced Persistent Threat
- Transitive
- Yes
- User Impact
- 100000
- Observed Duration
- 1 days
Evidence
Compromised Artifacts
Current Artifacts and Analysis
- file:bw1.js
- url:https://audit.checkmarx.cx/v1/telemetry
- ip:94.154.172.43
- path:/tmp/tmp.987654321.lock
- path:/tmp/_tmp_<Unix Epoch Timestamp>/
- file:package-updated.tgz
External References
Source Data
Source record: oss/bitwarden-cli/meta.yaml