The command line interface (CLI) of the popular Bitwarden open source password manager is the latest target the ongoing Checkmarx supply chain campaign, with a threat group hijacking a npm package and injecting malicious code designed to steal sensitive data from developer workstations and CLI environments.

Threat researchers from a number of cybersecurity vendors, including Socket, Ox Security, JFrog Security, and StepSecurity detected and identified the compromised Bitwarden CLI version 2026.4.0, with the bad actors targeting it after abused a GitHub Action within Bitwarden’s CI/CD pipeline, according to the Socket Research Team.

The pattern was consistent that seen in other targeted repositories in the Checkmarx campaign, the researchers wrote in a report.

The attack also was another example of the increasing cybersecurity risks to CI/CD architectures as they become more foundational in the software development pipeline and threat actors expand their targeting of them in such supply chain attacks.

A Popular Password Manager

The Bitwarden password manager is used by more than 10 million people and more than 50,000 business, they wrote, adding that it ranks among the top three password managers adopted by enterprises, they wrote, making it an attractive target for TeamPCP.

According to JFrog security researcher Meiter Palas, the package dropped by the attackers keeps the Bitwarden metadata intact but rewires the preinstall and the CLI to a custom loader rather than the legitimate one.

“The loader downloads the bun runtime from GitHub if it is not already present, then launches a large obfuscated JavaScript payload,” Palas wrote in a report. “Once deobfuscated, that payload reveals a broad credential theft operation focused on developer workstations and CI environments: GitHub and npm tokens, SSH material, shell history, AWS [Amazon Web Services], GCP [Google Cloud Platform], and Azure secrets, GitHub Actions secrets, and AI tooling configuration files are all targeted.”

Targeting AI Tools

Sai Likhith, a software engineer with StepSecurity, wrote that the Bitwarden case “is the first npm compromise we have analyzed that explicitly enumerates Claude Code, Cursor, Kiro, Codex CLI, and Aider, treating ~/.claude.json and MCP server configs as first class exfiltration targets alongside cloud and source control secrets.”

Stolen data is encrypted with AES-256-GCM and exfiltrated to audit.checkmarx.cx, a registered domain use to impersonate Checkmarx so that the outbound connection would blend in with security telemetry, making it more difficult for it to be detected, Likhith wrote. If a valid GitHub token was found, the malware weaponized so it would enumerate repositories, steal Actions secrets, and inject malicious workflows into the repositories the token could reach, “turning a single compromised developer machine into a broader supply chain pivot point,” he wrote.

Bitwarden Shuts It Down

Bitwarden acknowledged the malicious package, saying its security team identified and contained it and that it was distributed for a little more than 90 minutes April 22, adding that the attack was in connection with the broader Checkmarx incident.

The company wrote that there was no evidence found to suggest that data in end users’ vaults were accessed or that production or production systems were compromised. Once detected, the compromised access was revoked, the malicious npm released deprecated, and remediation steps put into place.

The ongoing supply chain campaign has been underway for more than a month, with TeamPCP compromising Aqua Security’s Trivy open source security vulnerability scanner and associated GitHub Actions in March and then expanding later in the month to Checkmarx and LiteLLM.

Attribution is Difficult

Socket researchers saw overlaps – such as shared tools – in both the Checkmarx attack and the targeting of Bitwarden, adding that it “strongly suggests connection to the same malware ecosystem.” That said, attribution is complicated by differences in operational signatures. The attack on Checkmarx was claimed by TeamPCP on a particular social media account after it was discovered. In addition, the malware itself tried to blend in with seemingly legitimate connections, they wrote.

“This payload takes a different approach: the ideological branding is embedded directly in the malware, from the Shai-Hulud repository names to the ‘Butlerian Jihad’ manifesto payload to commit messages proclaiming resistance against machines,” Socket researchers wrote. “This suggests either a different operator using shared infrastructure, a splinter group with stronger ideological motivations, or an evolution in the campaign’s public posture.”

Ox Security researchers also highlighted the Shai-Hulud connection, noting that the string “Shai-Hulud: The Third Coming” was embedded in the Bitwarden package, writing that it indicates that “this is likely the next phase of the Shai-Hulud saga.”

The self-propagating worm emerged last year, running through npm repositories in information-stealing supply chain attacks late last year.

“Shai-Hulud is one of many supply chain attacks occurring in 2026, and this trend shows no signs of slowing as threat actors accumulate more credentials and compromise more developers,” the Ox Security researchers wrote. “Large-scale attacks through the NPM and PyPI registries could be avoided if stronger code review and guardrails were added during the package upload process. Failing to do so will only keep the door open for the next supply chain attack.”