Full Report
The Bitwarden CLI was briefly compromised after attackers uploaded a malicious @bitwarden/cli package to npm containing a credential-stealing payload capable of spreading to other projects. [...]
Analysis Summary
# Incident Report: Bitwarden CLI npm Supply Chain Compromise
## Executive Summary
The Bitwarden CLI npm package (@bitwarden/cli) was compromised via a CI/CD pipeline breach, leading to the distribution of a malicious version (2026.4.0). The malware targeted developers to steal cloud credentials, SSH keys, and authentication tokens, exfiltrating data via public GitHub repositories. Bitwarden successfully removed the package within 90 minutes, and no end-user vault data was compromised.
## Incident Details
- **Discovery Date:** April 22, 2026
- **Incident Date:** April 22, 2026 (5:57 PM – 7:30 PM ET)
- **Affected Organization:** Bitwarden
- **Sector:** Software/Cybersecurity (Password Management)
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** April 22, 2026, 5:57 PM ET
- **Vector:** Compromised GitHub Action in Bitwarden's CI/CD pipeline.
- **Details:** Threat actors (identified as TeamPCP) gained access to the build process to inject a malicious payload into the official npm distribution of the CLI.
### Lateral Movement
- The malware used stolen npm credentials from infected developer machines to identify other packages the victims had write access to, attempting to inject malicious code into those downstream projects.
### Data Exfiltration/Impact
- **Data Stolen:** npm tokens, GitHub auth tokens, SSH keys, and cloud credentials (AWS, Azure, GCP).
- **Mechanism:** Stolen data was encrypted (AES-256-GCM) and posted to newly created public GitHub repositories under the victim's own account.
### Detection & Response
- **Detection:** Identified by security researchers (Socket, JFrog, and OX Security) and Bitwarden internal monitoring.
- **Response:** Bitwarden revoked compromised access, deprecated the malicious npm release, and removed the package by 7:30 PM ET.
## Attack Methodology
- **Initial Access:** CI/CD Pipeline Hijack (Compromised GitHub Action).
- **Persistence:** Implementation of a custom loader `bw_setup.js` and hidden obfuscated script `bw1.js`.
- **Privilege Escalation:** Not explicitly local; focused on acquiring high-privilege cloud/git tokens.
- **Defense Evasion:** Use of Bun runtime for execution; AES-256-GCM encryption of stolen data; `__decodeScrambled` obfuscation routine.
- **Credential Access:** Automated harvesting of `.ssh`, environment variables, and cloud config files.
- **Discovery:** Scanned environment for CI/CD secrets and cloud provider configurations.
- **Lateral Movement:** Supply chain propagation by infecting other npm packages owned by the victim.
- **Collection:** Gathering of secret keys and tokens into localized files before encryption.
- **Exfiltration:** Creating GitHub repositories with the string "Shai-Hulud: The Third Coming" to store encrypted payloads.
- **Impact:** Potential for massive downstream supply chain secondary infections.
## Impact Assessment
- **Financial:** Costs associated with incident response and credential rotation; potential secondary costs for affected downstream users.
- **Data Breach:** Exposure of developer secrets, cloud access keys, and source control tokens.
- **Operational:** Temporary suspension of CLI npm distribution; mandatory credential rotation for affected developers.
- **Reputational:** High-profile supply chain incident targeting a trusted security vendor.
## Indicators of Compromise
- **Network indicators:**
- `audit.checkmarx[.]cx/v1/telemetry`
- **File indicators:**
- `@bitwarden/cli` version 2026.4.0
- `bw_setup.js` (Malicious loader)
- `bw1.js` (Obfuscated payload)
- **Behavioral indicators:**
- Unexpected creation of GitHub repositories named with "Shai-Hulud".
- Unauthorized installation of the Bun runtime on developer machines.
## Response Actions
- **Containment:** Malicious npm package deprecated and removed within 1.5 hours.
- **Eradication:** Revoked compromised CI/CD credentials and GitHub Action access.
- **Recovery:** Released clean versions of the CLI; issued public guidance for developer remediation.
## Lessons Learned
- **Key Takeaways:** CI/CD pipelines are high-value targets; even trusted security tools can be vectors for supply chain attacks.
- **What could have been done better:** Verification/signing of GitHub Actions and stricter pinning of third-party dependencies within the build pipeline.
## Recommendations
- **Rotate Credentials:** All developers who downloaded the package during the 90-minute window must rotate SSH keys, cloud tokens, and npm/GitHub PATs.
- **Implement OIDC:** Use OpenID Connect for GitHub Actions to eliminate long-lived secrets.
- **Monitor Repositories:** Implement automated alerts for the creation of new public repositories in organization/user accounts.
- **Code Signing:** Ensure all distributed packages are signed and verified against a known-good manifest before publication.