Skip to main content
Emerging ThreatsSupply Chain Attacks

Bitwarden CLI Compromised in Checkmarx Supply Chain Attack

Terminal screen on a laptop in a coding workspace displays code on a blurred background.

"The rogue version of the package 'steals GitHub/npm tokens, .ssh, .env, shell history, GitHub Actions and cloud secrets, then exfiltrates the data to private domains and as GitHub commits," JFrog wrote on X.

The affected package: @bitwarden/cli@2026.4.0 and the bw1.js payload

Socket reports that the compromised package is identified as @bitwarden/cli@2026.4.0 and that the malicious code was published in a file named "bw1.js" included in the package contents. According to the same application security company, the malicious version is no longer available for download from npm, but the publication and distribution of that build to downstream users already occurred.

How the actors moved through CI/CD: compromised GitHub Actions workflows

Socket and other researchers describe the intrusion as leveraging a compromised GitHub Action in Bitwarden's CI/CD pipeline. Threat actors abused stolen GitHub tokens to inject a new GitHub Actions workflow that captures secrets available to the workflow run. Those captured credentials in turn were used to publish malicious package versions, creating a direct supply chain route from a project's continuous integration pipeline into npm-distributed software consumed by users and downstream projects.

What JFrog and researchers found in the wild

JFrog's post on X outlined a broad harvesting goal: the rogue package sought GitHub and npm tokens, SSH keys, .env files, shell history, the contents of GitHub Actions environments and cloud secrets, then exfiltrated those artifacts to private domains and even as GitHub commits. Security researcher Adnan Khan said the threat actor used a malicious workflow to publish the tainted Bitwarden CLI and observed, "I believe this is the first time a package using NPM trusted publishing has been compromised."

Attribution and campaign context: Checkmarx campaign and TeamPCP

Socket links the incident to the broader, ongoing Checkmarx supply chain campaign; the compromised GitHub Actions vector is described as consistent with patterns seen across other affected repositories in that campaign. Investigators suspect a threat actor known as TeamPCP is behind the latest attack aimed at Checkmarx. As of this report, TeamPCP’s X account has been suspended for violating the platform’s rules.

What this means for technologists, affected enterprises, and end users

  • Technologists and security teams: expect immediate scrutiny of CI/CD workflow integrity — particularly GitHub Actions — and a focus on whether injected workflows exist that could harvest secrets at runtime. Teams will be watching for unauthorized or recently added workflow files and for unusual npm publishes tied to stolen credentials.
  • Affected enterprises and procurement leaders: the incident underscores a supply chain linkage from source repositories through trusted publishing to downstream consumers. Buyers and maintainers will be concerned about compromised publishing credentials and the potential for otherwise-trusted packages to carry exfiltration code.
  • End users and downstream projects: although the malicious Bitwarden CLI version is reported removed from npm, users who installed the tainted release or whose repositories granted runtime secrets to workflows remain at risk if those credentials were harvested and reused.

The intrusion follows an increasingly familiar pattern: abuse of CI/CD automation to bypass traditional code review and distribution controls, then escalate through credential theft to propagate malicious builds. Adnan Khan’s observation that this may be the first compromise of a package using "NPM trusted publishing" — if confirmed — marks a notable escalation in attackers’ targeting of trust mechanisms themselves.

This is a developing story. Security teams, maintainers of affected repositories, and users of @bitwarden/cli should monitor official communications and incident updates as investigators continue to trace the campaign and any follow-on activity.

Original story