For about 90 minutes on April 22, installing a trusted developer tool could quietly expose a developer’s secrets.
A malicious version of the Bitwarden command-line interface (CLI) briefly appeared on npm, turning a widely used password-management utility into a credential-stealing backdoor. The incident is the latest development in a broader software supply-chain campaign linked to the recent compromise of developer tools from Checkmarx, an AI company focused on agentic application security.
The affected tool belongs to Bitwarden, an open-source password manager used by more than 10 million people to store and manage credentials. Its CLI tool is typically used by developers and system administrators to interact with Bitwarden vaults programmatically inside scripts and CI/CD pipelines.
Researchers from JFrog and Socket say the compromised package — @bitwarden/cli@2026.4.0 — contained hidden malware inside a file called bw1.js.
“The affected package version appears to be @bitwarden/cli@2026.4.0, and the malicious code was published in ‘bw1.js,’ a file included in the package contents,” the application security company said.
“The attack appears to have leveraged a compromised GitHub Action in Bitwarden’s CI/CD pipeline, consistent with the pattern seen across other affected repositories in this campaign.”
In practical terms, the malicious package behaved like a normal dependency. But during installation, a hidden preinstall hook triggered a credential-stealing payload designed to scan the developer’s system.
In a post on X, JFrog said the rogue version of the package “steals GitHub/npm tokens, .ssh, .env, shell history, GitHub Actions and cloud secrets, then exfiltrates the data to private domains and as GitHub commits.”
The malware searched for sensitive credentials stored on developer machines, CI environments, and cloud configuration files. It also targeted configuration data for AI coding assistants such as Claude, Cursor, Codex CLI, Kiro, and Aider.
Once collected, the data was encrypted using AES-256-GCM and sent to audit.checkmarx[.]cx, a domain designed to impersonate Checkmarx infrastructure. If that channel failed, the malware used a backup method: pushing stolen data directly to GitHub repositories.
That fallback mechanism significantly increases the risk of exposure.
“A single developer with @bitwarden/cli@2026.4.0 installed can become the entry point for a broader supply chain compromise, with the attacker gaining persistent workflow injection access to every CI/CD pipeline the developer’s token can reach,” StepSecurity said.
According to investigators, attackers gained access through a compromised GitHub account belonging to a Bitwarden engineer. From there, they manipulated the project’s release automation.
“The attacker created a new branch in the bitwarden/clients repository, staged a prebuilt malicious tarball, and rewrote the publish-cli.yml workflow to exchange a GitHub Actions OIDC token for an npm auth token via the npm registry API. The workflow then used that token to publish the staged tarball directly to npm,” StepSecurity explained in a threat intel report.
Bitwarden later confirmed to Hackernews the compromise but said the impact window was limited.
“The Bitwarden security team identified and contained a malicious package that was briefly distributed through the npm delivery path for @bitwarden/cli@2026.4.0 between 5:57 PM and 7:30 PM (ET) on April 22, 2026, in connection with a broader Checkmarx supply chain incident.”
“The investigation found no evidence that end user vault data was accessed or at risk, or that production data or production systems were compromised.”
Only 334 developers downloaded the malicious CLI during that period, according to security researchers. Yet even a small number of compromised developer machines can create ripple effects across repositories and CI pipelines.
Researchers from OX Security also found unusual references embedded in the malware, including the phrase “Shai-Hulud: The Third Coming,” linking the attack to earlier campaigns.
“The latest Shai Hulud incident is just the latest in a long chain of threats targeting developers around the world. User data is being publicly exfiltrated to GitHub, often going undetected because security tools typically don’t flag data being sent there,” Moshe Siman Tov Bustan, Security Research Team Lead at OX Security, said.
“This makes the risk significantly more dangerous: anyone searching GitHub can potentially find and access those credentials. At that point, sensitive data is no longer in the hands of a single threat actor – it’s exposed to anyone.”
Attribution remains unclear, although researchers suspect a connection to the same ecosystem behind the Checkmarx breach.
“The shared tooling strongly suggests a connection to the same malware ecosystem, but the operational signatures differ in ways that complicate attribution,” Socket said. “This suggests either a different operator using shared infrastructure, a splinter group with stronger ideological motivations, or an evolution in the campaign’s public posture.”
Ogbonda Chivumnovu
