EXECUTIVE SUMMARY
The attackers behind the Checkmarx supply chain campaign have compromised the Bitwarden CLI, targeting numerous sectors and regions. The affected package version, @bitwarden/cli2026.4.0, contains a malicious payload in a file named bw1.js, which shares core infrastructure with the Checkmarx mcpAddon.js. The attackers' goal appears to be data theft, as the malware exfiltrates sensitive information, including GitHub tokens, cloud credentials, and SSH keys. The compromised package has been published in Bitwarden's CI/CD pipeline, allowing the attackers to maintain control and propagate the malware through supply chains.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
The attackers behind the Checkmarx supply chain campaign have compromised the Bitwarden CLI, targeting numerous sectors and regions. The affected package version, @bitwarden/cli2026.4.0, contains a malicious payload in a file named bw1.js, which shares core infrastructure with the Checkmarx mcpAddon.js. The attackers' goal appears to be data theft, as the malware exfiltrates sensitive information, including GitHub tokens, cloud credentials, and SSH keys. The compromised package has been published in Bitwarden's CI/CD pipeline, allowing the attackers to maintain control and propagate the malware through supply chains.[emaillocker id="1283"]
The malware infects systems through the compromised GitHub Action in Bitwarden's CI/CD pipeline, which is consistent with the pattern seen across other affected repositories in this campaign. Once inside, the malware uses the Bun v1.3.13 interpreter to execute the payload, which includes several indicators not documented in the Checkmarx incident. The malware persists through shell profile modifications in ~/.bashrc and ~/.zshrc, allowing it to maintain control and execute further actions. The attackers also use GitHub API and npm registry exfiltration to steal sensitive information and republish the compromised package.
The compromise of the Bitwarden CLI is significant for organisations that rely on password management and credential security. The attackers' ability to exfiltrate sensitive information and maintain control through supply chains makes it challenging to detect and recover from the incident. Organisations should immediately remove the affected package from developer systems and build environments, rotate any exposed credentials, and review GitHub for unauthorized repository creation and suspicious workflow files. Additionally, organisations should audit npm for unauthorized publishes and version changes, and monitor for new public repositories or workflow changes created outside normal release processes.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Initial Access | T1195 | Supply Chain Compromise | — |
| Execution | T1059.007 | Command and Scripting Interpreter | JavaScript |
| Execution | T1059.006 | Command and Scripting Interpreter | Python |
| Execution | T1204.002 | User Execution | Malicious File |
| Persistence | T1546 | Event Triggered Execution | — |
| Privilege Escalation | T1068 | Exploitation for Privilege Escalation | — |
| Defense Evasion | T1027 | Obfuscated Files or Information | — |
| Defense Evasion | T1140 | Deobfuscate/Decode Files or Information | — |
| Defense Evasion | T1036 | Masquerading | — |
| Credential Access | T1552.001 | Unsecured Credentials | Credentials In Files |
| Credential Access | T1555 | Credentials from Password Stores | — |
| Credential Access | T1552.004 | Unsecured Credentials | Private Keys |
| Discovery | T1083 | File and Directory Discovery | — |
| Collection | T1005 | Data from Local System | — |
| Collection | T1213 | Data from Information Repositories | — |
| Command and Control | T1105 | Ingress Tool Transfer | — |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | — |
| Lateral Movement | T1199 | Trusted Relationship | — |
REFERENCES:
reports contain further technical details:
https://socket.dev/blog/bitwarden-cli-compromised
https://securityonline.info/bitwarden-cli-breach-dune-malware-supply-chain/