Supply Chain Attack on Bitwarden CLI via npm Package Hijacking

On April 22, 2026, the official Bitwarden Command-Line Interface (CLI) npm package, 

@bitwarden/cli
, was subject to a sophisticated supply chain attack, with a malicious version 
2026.4.0
published to the npm registry. This trojanized package, available for approximately 90-93 minutes between 17:57 and 19:30 ET, represented a critical compromise of developer infrastructure, aiming to exfiltrate sensitive credentials and propagate further into the software supply chain.

Incident Overview

The attack involved the publication of a weaponized 

@bitwarden/cli
version 
2026.4.0
to npm, which was quickly identified and deprecated by Bitwarden. The malicious package was not a typosquatting attempt but an unauthorized publication under the legitimate package name, leveraging a compromised GitHub Action within Bitwarden's CI/CD pipeline. This incident is part of a broader, sustained campaign attributed to the threat actor "TeamPCP" (also known as 
@pcpcats
), which has been active since September 2025 and has targeted multiple open-source projects and developer tooling, including Checkmarx KICS and Trivy.

The Bitwarden CLI is a high-value target due to its extensive use in development workflows and CI/CD pipelines for programmatic access to password vaults and the injection of secrets at build or deployment time. A compromise of this tool can expose not just individual user passwords, but potentially the build systems and secrets of every team relying on it.

Attack Vector and Mechanism

Investigation revealed that the attackers exploited a compromised GitHub Action in Bitwarden's CI/CD pipeline. This allowed them to publish the malicious package without the need for traditional credential theft or typosquatting, making the release appear authentic with correct scope and maintainer signals. The attack bypassed npm's OIDC Trusted Publishing safeguards by manually publishing poisoned versions using a stolen npm token, leaving no trace in the official GitHub repository. This method of compromising CI/CD pipelines to inject malicious code into trusted distribution channels represents a significant escalation in supply chain attack sophistication.

Upon installation, the malicious 

@bitwarden/[email protected]
package executed a 
preinstall
hook. This hook did not align with the legitimate package's intended behavior. The root 
package.json
of the malicious version advertised 
2026.4.0
, but embedded application metadata still referenced 
2026.3.0
, indicating that the malicious layer was added on top of an older legitimate release, rather than being part of the normal build process.

The simplified operational flow of the infection was as follows:

  1. A victim installs 
    @bitwarden/cli
    version 
    2026.4.0
    via npm.
  2. npm executes the 
    preinstall
    script, triggering 
    bw_setup.js
    .
  3. The 
    bw_setup.js
    loader downloads the Bun JavaScript runtime from GitHub if not already present.
  4. Bun then executes a large, obfuscated JavaScript payload, identified as 
    bw1.js
    .

The malicious package effectively rewired both the 

preinstall
hook and the legitimate 
bw
binary entrypoint to point to the custom loader, 
bw_setup.js
, ensuring execution of the malicious code. This allowed the attackers to deliver a persistent malware that could operate cross-platform, affecting macOS, Windows, and Linux environments.

Malicious Payload Analysis

The payload, a 9.7 MB obfuscated JavaScript file (

bw1.js
), was designed for comprehensive credential exfiltration and propagation. Its capabilities included:

  • Credential Harvesting: The malware targeted a wide array of sensitive information present on developer machines and in CI/CD environments. This included GitHub and npm tokens, SSH keys, cloud provider credentials for AWS, Azure, and GCP, shell history, 
    .env
    files, and configurations for AI coding tools such as 
    ~/.claude.json
    .
  • Exfiltration: All stolen data was encrypted with AES-256-GCM and exfiltrated to the domain 
    audit.checkmarx[.]cx
    (IP address 94.154.172[.]43), a domain impersonating the legitimate security company Checkmarx. Defenders can leverage tools like Zondex for internet-wide search and exposed services discovery to identify and monitor such malicious infrastructure and command-and-control (C2) domains.
  • Self-Propagation (Worm-like Behavior): A key feature of this payload was its ability to replicate. Upon discovering a valid npm token with publishing permissions (e.g., 
    bypass_2fa
    and 
    package:write
    ), the malware would enumerate all packages the compromised account could publish to. It then downloaded the latest tarball for each package, injected its malicious code (replacing 
    dist.js
    with 
    bw1.js
    , writing an infected 
    setup.mjs
    , and injecting 
    preinstall: node setup.mjs
    into 
    package.json
    ), incremented the patch version, and republished the poisoned package to npm using the stolen authentication token.
  • GitHub Actions Weaponization: The malware further weaponized stolen GitHub tokens to inject malicious workflows into private and public repositories and extract additional CI/CD secrets. This turned a single compromised developer machine into a pivot point for broader supply chain attacks.

The payload's use of the Bun runtime for execution, a fast JavaScript runtime, allowed the attackers to execute the obfuscated code efficiently. The explicit targeting of AI tool configurations highlights an evolving threat landscape where attacker objectives adapt to the tools and environments developers increasingly utilize.

Impact and Targeted Data

The direct impact of installing 

@bitwarden/[email protected]
was the immediate compromise of the host system. Any developer or CI/CD pipeline that pulled this version during the short window of its availability should consider credentials and secrets present on that system as compromised. The broad scope of targeted secrets underscores the potential for severe downstream consequences, from unauthorized access to source code repositories to cloud infrastructure breaches.

Category Specific Data Targeted
Authentication Tokens GitHub tokens, npm tokens, CI publishing tokens, API tokens
SSH Material SSH keys
Cloud Credentials AWS, Azure, GCP credentials
Developer Environment Data Shell history, 
.env
files
AI Tool Configurations 
~/.claude.json
, MCP server configs

Bitwarden's official statement confirmed that there was no evidence of access to end-user vault data or compromise of production systems. However, the focus of the malware was clearly on developer credentials and propagation within the development ecosystem, posing a significant risk to organizations' software supply chains.

Detection and Remediation Strategies

Immediate detection and response are critical for mitigating the damage from such supply chain attacks. Organizations and individual developers who may have installed the compromised Bitwarden CLI version should assume their systems and exposed credentials are at risk.

Detection:

  • Version Check: Verify the installed version of 
    @bitwarden/cli
    . The malicious version is 
    2026.4.0
    . The last known-clean version before the compromise was 
    2026.3.0
    , and a clean 
    2026.4.1
    was re-released subsequently. 
    npm ls @bitwarden/cli
  • File Presence: Check for the presence of malicious files injected by the payload. Specifically, look for 
    bw1.js
    and 
    bw_setup.js
    within the 
    node_modules/@bitwarden/cli/
    directory. 
    find node_modules/@bitwarden/cli/ -name "bw1.js"
find node_modules/@bitwarden/cli/ -name "bw_setup.js"
  • Checksum Verification: Validate the SHA-256 hash of 
    bw1.js
    if found. The known malicious SHA-256 for 
    bw1.js
    is 
    18f784b3bc9a0bcdcb1a8d7f51bc5f54323fc40cbd874119354ab609bef6e4cb
    . 
    shasum -a 256 node_modules/@bitwarden/cli/bw1.js
  • Lockfile Auditing: Inspect 
    package-lock.json
    or 
    yarn.lock
    files for references to 
    @bitwarden/[email protected]
    .
  • CI/CD Logs: Review CI/CD pipeline logs for any 
    npm install
    runs that pulled 
    @bitwarden/[email protected]
    . Any affected pipelines should be treated as fully compromised.
  • Network Traffic Analysis: Monitor network traffic for connections to known malicious C2 domains like 
    audit.checkmarx[.]cx
    (94.154.172[.]43).
  • Software Composition Analysis (SCA): Implement SCA tools to identify known malicious packages or suspicious behaviors within dependencies. Secably offers capabilities for vulnerability scanning and web security testing that can help detect such threats in development pipelines.

Remediation:

  • Uninstall Malicious Version: Immediately uninstall the compromised package. 
    npm uninstall @bitwarden/cli
  • Clear npm Cache: Clear the npm cache to ensure no remnants of the malicious package persist. 
    npm cache clean --force
  • Delete Malicious Files: Manually delete 
    bw1.js
    and 
    bw_setup.js
    from the system if they exist.
  • Downgrade or Reinstall Safe Version: Install a known-safe version, such as 
    2026.3.0
    or the patched 
    2026.4.1
    . 
    npm install -g @bitwarden/[email protected] --ignore-scripts
    The 
    --ignore-scripts
    flag is crucial to prevent execution of any potentially lingering malicious pre/post-install scripts during reinstallation, even if the package itself is deemed clean.
  • Credential Rotation: This is paramount. Rotate all developer and cloud credentials that were present on affected machines or accessible by compromised CI/CD pipelines. This includes GitHub Personal Access Tokens (PATs), npm tokens, CI publishing tokens, SSH keys, and cloud provider API keys.
  • Audit and Harden CI/CD: Conduct a thorough audit of CI/CD pipelines, especially GitHub Actions workflows, to ensure they are configured securely. Review permissions granted to workflows (e.g., avoid 
    pull_request_target
    with elevated privileges), and implement stricter controls on publishing processes.
  • Enhanced Monitoring: Implement continuous monitoring for anomalous package publications, suspicious network activity from build agents, and changes to critical configuration files. Anonymous research and traffic routing through services like GProxy can aid in safely analyzing suspicious network endpoints without exposing organizational infrastructure.

Broader Supply Chain Implications

The Bitwarden CLI incident, alongside other recent attacks attributed to TeamPCP and similar actors, underscores a growing trend in supply chain attacks targeting critical developer tools and ecosystems. These attacks are moving beyond simple typosquatting to sophisticated compromises of official project pipelines and maintainer accounts.

The use of self-propagating worms that leverage stolen credentials to infect additional packages, as seen in the "Shai-Hulud" campaign (CVE-2025-10894), demonstrates attackers' intent to achieve exponential spread. The npm ecosystem, with its vast number of packages and billions of weekly downloads, remains an attractive target, where a single compromised popular package can grant access to thousands of downstream applications. The integration of credential harvesting, worm-like propagation, and cross-platform distribution across npm, Docker Hub, GitHub Actions, and VS Code extensions makes these campaigns particularly formidable.