On April 23, 2026, researchers at Socket confirmed that the npm package @bitwarden/cli@2026.4.0 was compromised as part of the Checkmarx supply chain campaign. Malicious code injected via a compromised GitHub Action in Bitwarden's CI/CD pipeline steals GitHub, npm, SSH, and cloud credentials (AWS, Azure, GCP) from any environment where the package was installed or executed. Regular Bitwarden vault data is not directly affected — the compromise targets development and automation environments that use the CLI through npm.

If you use Bitwarden through the browser extension, desktop app, or mobile app, your vault data is safe. If you have installed @bitwarden/cli via npm in scripts, CI/CD pipelines, servers, or automation workflows, treat this as a confirmed credential exposure and act immediately using the steps below.

What Happened

The attack is part of a broader campaign attributed to a threat actor identified as TeamPCP, which compromised GitHub Actions across multiple open source repositories in the same period. The entry vector in Bitwarden's case was a compromised GitHub Action in the official build pipeline, which allowed injection of a malicious file named bw1.js into the npm package published as version 2026.4.0.

The payload in bw1.js shares command-and-control infrastructure with the mcpAddon.js malware documented in the same Checkmarx campaign, including the same exfiltration endpoint audit.checkmarx[.]cx/v1/telemetry and the same obfuscation mechanism. The code runs via a Bun interpreter dynamically downloaded from GitHub releases, installs persistence by injecting into ~/.bashrc and ~/.zshrc, creates public repositories on GitHub under the victim's account using Dune-themed names (pattern: {word}-{word}-{3digits}), and commits stolen credentials encrypted into those repositories with the marker commit message LongLiveTheResistanceAgainstMachines.

One operationally significant detail: the payload contains a kill switch for Russian locales — it checks Intl.DateTimeFormat().resolvedOptions().locale and the LC_ALL, LC_MESSAGES, LANGUAGE, and LANG environment variables and stops silently if any begin with "ru". This is an operational signature, not a definitive attribution statement.

What Credentials Are Targeted

The payload actively collects the following credential categories from the environment where it runs: GitHub tokens via memory scraping from the GitHub Actions Runner.Worker process and environment variables; npm tokens and configurations from .npmrc files; AWS credentials from ~/.aws/credentials, ~/.aws/config, and environment variables; Azure tokens via azd and local configurations; GCP credentials via gcloud config config-helper; SSH private keys from ~/.ssh/; .env files and general environment variables; and Claude/MCP configurations.

Lateral propagation is also built in: after obtaining an npm token with write permissions, the code attempts to identify other npm packages the victim can publish and reinjects them with malicious preinstall hooks, extending the campaign to other projects in the victim's ecosystem.

What Is Not Affected

The compromise is limited to the CLI's npm package. Bitwarden has confirmed that the Chrome extension, desktop app, mobile app, and MCP server are not affected by this version of the attack. Bitwarden's zero-knowledge architecture means user vaults are encrypted locally with the master password — even a fully compromised Bitwarden server cannot decrypt user data without the master password. If you have never installed @bitwarden/cli via npm, you have no direct risk from this incident.

Remediation Steps If You Installed the Affected Package

If @bitwarden/cli@2026.4.0 was installed on any system — your workstation, a server, a CI/CD runner, or a container — treat all credentials that existed in that environment as exposed and act in the order below.

1. Remove the compromised package immediately

npm uninstall -g @bitwarden/cli
# or, if installed locally in a project:
npm uninstall @bitwarden/cli
npm cache clean --force

2. Check for persistence in shell profiles

grep -n "bw1\|checkmarx\|butlerian\|shai-hulud\|tmp.987654321" ~/.bashrc ~/.zshrc ~/.profile 2>/dev/null

If this returns any results, the payload injected persistence. Open the listed files and manually remove the identified lines, then reload your shell.

3. Check for lock file and temporary artifacts

ls /tmp/tmp.987654321.lock 2>/dev/null && echo "WARNING: lock file present" || echo "OK"
ls /tmp/_tmp_* 2>/dev/null

4. Check GitHub for unauthorized repository activity

Log in to your GitHub account and audit recently created public repositories. Look for names matching the pattern {word}-{word}-{3digits} or any of the documented keywords: atreides, harkonnen, fremen, sandworm, sardaukar, melange, stillsuit, sietch. If you find repositories you did not create, delete them immediately and revoke all tokens under Settings → Developer settings → Personal access tokens.

5. Rotate all exposed credentials

Credentials cannot be "un-exposed" — if they existed in the affected environment, they must be rotated regardless of whether observable exfiltration evidence exists:

  • GitHub: Revoke all Personal Access Tokens, regenerate deploy keys, rotate GitHub Actions secrets across all repositories that ran on the affected environment
  • npm: Revoke tokens from npmjs.com → Account Settings → Access Tokens
  • AWS: Disable and recreate Access Keys from IAM Console; review CloudTrail for unauthorized access
  • Azure: Revoke tokens from Azure Portal → Azure Active Directory → App registrations
  • GCP: Rotate Service Account Keys from Cloud Console → IAM & Admin
  • SSH: If private keys in ~/.ssh/ were exposed, generate new pairs and update public keys on all servers

6. Check for suspicious outbound network connections

# Check logs for connections to the C2 endpoint
grep -r "audit\.checkmarx" /var/log/ 2>/dev/null
grep -r "94\.154\.172\.43" /var/log/ 2>/dev/null

Broader Context: Why CI/CD Pipelines Are the Preferred Target

The Checkmarx campaign that compromised Bitwarden CLI is part of a broader pattern that has accelerated significantly in 2025–2026: attackers no longer target servers or end users directly — they attack the junction points of the software supply chain: GitHub Actions, npm registries, Docker images. A single compromised GitHub Action from a popular repository can infect thousands of build environments within hours, before any detection system flags the anomaly.

This is precisely why proper Linux server administration now includes not just OS hardening but also build environment isolation, least-privilege principles for CI/CD tokens, and periodic dependency auditing. A VPS running build pipelines or automation scripts has a fundamentally different attack surface from a static web server — and must be treated accordingly. If you are running multiple workloads on the same host, the ServerSpan managed Linux administration service covers workload isolation through containers and dedicated environments as part of its standard hardening baseline.

For operators running self-hosted Bitwarden on their own VPS, the current incident does not affect the self-hosted instance itself — but it underscores the importance of never mixing a credential-store service with a build or automation environment on the same host. A server running self-hosted Bitwarden and npm-based CI/CD pipelines combines two distinct attack surfaces on a single machine. The correct architecture isolates each workload on a separate container or dedicated VPS.

Indicators of Compromise (IOC)

TypeValue
Malicious npm package@bitwarden/cli@2026.4.0
Payload filebw1.js
C2 exfiltration endpointaudit.checkmarx[.]cx/v1/telemetry
C2 IP94[.]154[.]172[.]43
Lock file/tmp/tmp.987654321.lock
Temp directory/tmp/_tmp_<Unix Epoch Timestamp>/
GitHub staging commit markerLongLiveTheResistanceAgainstMachines
Staging repository pattern{word}-{word}-{3digits} with Dune terminology

Bitwarden's Response

At the time of publication (April 23, 2026), Socket has published its full technical analysis and notified Bitwarden. The investigation is active. Monitor the official Bitwarden status page and the project's security blog for official updates. Package versions before and after 2026.4.0 are not affected by this specific compromise.

Immediate action summary: If you installed @bitwarden/cli@2026.4.0 via npm — on any system — remove the package, check shell profiles for persistence, audit GitHub for unauthorized repositories, and rotate all credentials that existed in that environment. Regular Bitwarden vault data is not affected. The browser extension, desktop app, and mobile app are not affected.

Romanian version: Bitwarden CLI compromis printr-un atac supply chain - Ce s-a întâmplat și ce trebuie să faci chiar acum (23 aprilie 2026)
Source & Attribution

This article is based on original data belonging to serverspan.com blog. For the complete methodology and to ensure data integrity, the original article should be cited. The canonical source is available at: Bitwarden CLI Compromised in Supply Chain Attack - What Happened and What to Do Right Now (April 23, 2026).