"The investigation found no evidence that end user vault data was accessed or at risk, or that production data or production systems were compromised," Bitwarden said in a statement.
Bitwarden confirms a brief npm distribution compromise on April 22, 2026
Bitwarden acknowledged that a malicious @bitwarden/cli package—published as version 2026.4.0—was available on npm between 5:57 PM and 7:30 PM ET on April 22, 2026. The vendor said the incident affected only its npm distribution channel for the CLI and only those who downloaded that specific release. Bitwarden also said it revoked the compromised access, deprecated the malicious release, and initiated remediation steps immediately.
How the payload worked, according to JFrog, Socket, and OX Security
Security researchers at JFrog, Socket, and OX Security mapped a multi-stage JavaScript loader embedded in the compromised package. The package's preinstall script and CLI entry point were modified to use a custom loader named bw_setup.js, which checks for the Bun runtime and, if Bun is absent, downloads it. That loader then uses Bun to launch an obfuscated file called bw1.js, which acts as credential-stealing malware.
Once executed, the malware collects a broad set of secrets from infected systems: npm tokens, GitHub authentication tokens, SSH keys, and cloud credentials for AWS, Azure, and Google Cloud. The collected material is encrypted using AES-256-GCM and exfiltrated by creating public GitHub repositories under the victim's account, where the encrypted data is stored. OX Security reported that those repositories include the string "Shai-Hulud: The Third Coming," a hallmark seen in earlier npm supply chain exfiltration campaigns.
The supply chain vector: CI/CD and propagation capabilities
Socket reported that attackers appear to have used a compromised GitHub Action in Bitwarden's CI/CD pipeline to inject the malicious code into the CLI npm package. The payload also included self-propagation features. OX Security and Socket describe functionality that uses stolen npm credentials to identify packages the victim can modify and inject with malicious code, and routines that specifically target CI/CD environments to harvest secrets that enable downstream abuse.
Shared indicators with the Checkmarx incident and links to TeamPCP
Researchers noted concrete overlaps between this compromise and a separate supply chain incident disclosed by Checkmarx the day before. Socket said the Bitwarden payload uses the same audit.checkmarx[.]cx/v1/telemetry endpoint that appeared in the Checkmarx breach, employs the same __decodeScrambled obfuscation routine seeded with 0x3039, and contains embedded gzip+base64 components with similar tooling for credential collection and abuse.
Those technical commonalities, together with the malware's GitHub-based exfiltration and supply chain propagation behavior, led analysts to link both campaigns to a threat actor referred to as TeamPCP. The source material further notes that TeamPCP previously targeted developer packages in the large Trivy and LiteLLM supply chain attacks.
What affected developers, security teams, and open-source maintainers should do
- Developers who installed version 2026.4.0 should assume compromise: the published advice is to treat systems and credentials as compromised and rotate all exposed credentials, especially those used for CI/CD pipelines, cloud storage, and developer environments.
- Security teams should prioritize revoking and rotating tokens and keys that could be reused for package publication, repository access, or cloud and CI/CD control planes, and search for signs of newly created public repositories that may hold encrypted exfiltrated data.
- Open-source maintainers and organizations that automate releases via GitHub Actions should review action configurations and credentials used in CI/CD pipelines, since Socket reported a compromised GitHub Action was used to inject the malicious code.
The incident underscores the mechanics of modern supply chain attacks: short-lived, targeted package pushes that weaponize build tooling and CI/CD automation to harvest credentials and weaponize them for lateral spread. Bitwarden's statement narrows the scope—only the npm channel and only users of the specific 2026.4.0 package—but the observed behavior—the Bun-based loader, AES-256-GCM encryption, GitHub-repository exfiltration, and reuse of stolen npm credentials—shows how quickly a single compromised release can become an engine for wider abuse.
For further technical details and the original reporting, see the full BleepingComputer article: https://www.bleepingcomputer.com/news/security/bitwarden-cli-npm-package-compromised-to-steal-developer-credentials/
