Bitwarden CLI version 2026.4.0 has been compromised as part of the Checkmarx supply chain attack, potentially risking the security of millions of users and numerous enterprises. This breach involved a malicious file, bw1.js, being inserted into the npm package, which is widely used by over 10 million users and more than 50,000 businesses.
Scope of the Attack
The infiltration specifically targeted the npm CLI package, leaving other distribution channels such as Bitwarden’s Chrome extension and MCP server unaffected. Attackers exploited a compromised GitHub Action in Bitwarden’s CI/CD pipeline, a vulnerability similar to those identified in the larger Checkmarx campaign by Socket researchers.
The malicious payload, bw1.js, shares infrastructure with the previously analyzed mcpAddon.js, including a command and control endpoint at audit.checkmarx[.]cx/v1/telemetry, disguised using a decoding function. This highlights the sophisticated nature of the attack.
Attack Methodology
The payload used a multi-stage architecture, targeting credential harvesting from various sources such as GitHub tokens, AWS credentials, Azure tokens, GCP credentials, npm tokens, and SSH keys. Additionally, it created public repositories on GitHub using thematic naming conventions and exfiltrated data through encrypted commits.
Propagation of the supply chain was achieved by stealing npm tokens to modify and republish packages with preinstall hooks. Furthermore, GitHub Actions workflows were injected to capture repository secrets, and shell persistence was maintained through payloads in shell profile files.
Indicators and Recommendations
This attack shows distinct characteristics, suggesting a possible divergence from previous Checkmarx campaigns. Descriptions and debug strings within the payload indicate ideological branding, potentially signaling a new or evolved threat actor.
Organizations that have used the compromised package should consider this a full credential exposure event. Immediate actions include removing the affected package, rotating exposed credentials, auditing GitHub for unauthorized activities, and monitoring for connections to the C2 endpoint.
Long-term measures should focus on reducing token exposure and hardening security configurations for GitHub Actions and other related systems.
Socket’s security team is actively investigating the full extent of the campaign. Until more information is available, any exposure to the compromised package should be treated as a confirmed security incident.
