Supply Chain Assault Aims at Bitwarden Password Manager in Checkmarx-Style Incident
We independently review everything we recommend. When you buy through our links, we may earn a commission which is paid directly to our Australia-based writers, editors, and support staff. Thank you for your support!
- Bitwarden CLI was targeted in a supply chain assault via npm.
- The event was recognized and contained within 93 minutes.
- No end-user vault information was compromised.
- Malware shares infrastructure with a prior Checkmarx incident.
- Attackers sought to collect various developer credentials.
- TeamPCP has taken responsibility for the larger campaign.
- Organizations affected should promptly rotate credentials.
Bitwarden CLI Targeted in Brief Supply Chain Assault
The Incident Overview
A compromised version of the Bitwarden command-line interface (CLI) password manager was briefly spread via the Node package manager (npm) as a part of an escalating supply chain attack. The breach, uncovered by researchers from Socket and JFrog, impacted the @bitwarden/cli@2026.4.0 version for a duration of 93 minutes on April 22, 2026.
Immediate Response and Containment
Bitwarden acknowledged the event and confirmed that no end-user vault data was compromised. The affected CLI npm package was the sole component impacted, while other distributions remained safe. A CVE index is being prepared for the affected version.
Malware Details and Impact
The hazardous payload was introduced through a compromised GitHub Action, injected within the Bitwarden CI/CD pipeline. The payload, designated as bw1.js, ran automatically when a developer executed npm install. It shares infrastructure with earlier Checkmarx attacks, attempting to extract credentials from multiple sources including GitHub tokens, AWS credentials, and others.
Propagation and Persistence
Once a developer’s npm token is compromised, the malware is capable of republishing harmful versions of npm packages, facilitating further dissemination. The malware ensures persistence by injecting loaders into shell files, enabling it to persist even after the package is removed.
Unique Indicators and TeamPCP’s Role
This attack featured unique indicators such as Dune-themed repository names and a Russian locale kill switch. TeamPCP, the group responsible for the threat, has claimed accountability for this wider campaign, consistent with their historical attack patterns on Checkmarx.
Recommended Actions for Affected Organisations
Organizations that installed the affected package should consider it a credential exposure incident. Immediate steps include uninstalling the package, rotating all pertinent credentials, and scrutinizing GitHub for any unanticipated alterations.
Summary
The Bitwarden CLI faced a brief compromise in a supply chain attack via npm, focusing on developer credentials. The incident was swiftly contained, with no end-user data impacted. Organizations are advised to take prompt measures to secure their systems.
Reader questions
Frequently asked questions
Fast answers to the questions readers ask most about Supply Chain Assault Aims at Bitwarden Password Manager in Checkmarx-Style Incident.
What was the primary target of the attack?
The attack primarily targeted the Bitwarden CLI distributed through npm.
Was any user data compromised during the attack?
No, Bitwarden confirmed that no end-user vault data was accessed.
How was the malicious payload introduced?
It was introduced via a compromised GitHub Action in Bitwarden’s CI/CD pipeline.
What makes this attack significant?
The attack’s ability to spread through npm and persist beyond package removal is significant, posing a comprehensive threat to developer environments.
What measures should affected organisations take?
They should uninstall the affected package, rotate credentials, and review their systems for unanticipated changes.
Who claimed responsibility for the attack?
The threat actor group TeamPCP took responsibility for the wider campaign.
