Bitwarden CLI npm package was supply chain poisoned, stealing keys and uploading them to a public GitHub repository

ME News message. On April 23 (UTC+8), according to Dongcha Beating monitoring, Bitwarden’s command-line tool @bitwarden/cli version 2026.4.0 was implanted with malicious code. The attackers compromised a GitHub Action within Bitwarden’s CI/CD pipeline and published a version containing the malicious file bw1.js to npm. The package had over 250,000 monthly downloads, and the affected window was approximately 93 minutes (from 17:57 to 19:30 ET on April 22).

The malicious code stole the GitHub/npm tokens, the .ssh\ directory, the .env\ file, shell history, GitHub Actions keys, and cloud service credentials from the host machine. After encrypting the stolen data, it uploaded it to a public GitHub repository. OX Security has observed real user information being leaked.

Security researcher Adnan Khan pointed out that this may be the first package compromised through npm trusted publishing (npm’s trusted publishing mechanism, which allows a CI/CD pipeline to publish packages directly without manual intervention). The attack is part of Checkmarx supply chain attack activities. OX Security found the embedded string “Shai-Hulud: The Third Coming” within the package, indicating that it is the third wave attack of the Shai-Hulud worm exposed last year.

The attacker is suspected to be TeamPCP, whose X account has been banned. The malicious code does not execute when the host machine is configured in Russian.

Bitwarden confirmed the incident, stating that user password vault data was not accessed. The malicious version has been removed from npm, and related CVEs are being published. Affected users are advised to downgrade to version 2026.3.0 and rotate all potentially exposed keys.

(Source: BlockBeats)