@bitwarden/cli – GitGuardian Views on helloworm00
好的,我现在需要帮用户总结一篇文章的内容,控制在100字以内,并且不需要特定的开头。首先,我得仔细阅读文章,理解其主要内容。 文章主要讲的是Bitwarden CLI包被黑,导致数据泄露。攻击者利用了Jfrog的分析,将数据传送到特定的域名。如果无法连接,就转向GitHub,使用受害者的账户上传加密凭证。此外,文章还提到了攻击者通过Checkmarx KICS Docker镜像和Dependabot传播恶意软件,GitGuardian建议暂停依赖更新以应对威胁。 接下来,我需要将这些关键点浓缩到100字以内。要确保涵盖攻击方式、数据传输路径、GitHub的利用以及建议措施。同时,语言要简洁明了。 最后,检查字数是否符合要求,并确保没有遗漏重要信息。 </think> Bitwarden CLI包被黑导致数据泄露,攻击者利用Jfrog分析将数据传送到特定域名或GitHub账户上传加密凭证。攻击者通过Checkmarx KICS Docker镜像和Dependabot传播恶意软件。GitGuardian建议暂停依赖更新以应对威胁。 2026-4-23 18:25:7 Author: securityboulevard.com(查看原文) 阅读量:16 收藏

The post @bitwarden/cli – GitGuardian Views on helloworm00 appeared first on GitGuardian Blog – Take Control of Your Secrets Security.

@bitwarden/cli - GitGuardian Views on helloworm00

Around 5:00 p.m. CET, we were alerted to the compromise of the Bitwarden/CLI package via https://opensourcemalware.com/npm/@bitwarden/cli

The Jfrog analyses at https://research.jfrog.com/post/bitwarden-cli-hijack/ explain that the data exfiltration is primarily directed to audit[.]checkmarx[.]cx. If an infected machine cannot reach it, the malware falls back to GitHub itself: it retrieves staged PATs from public commit messages marked with LongLiveTheResistanceAgainstMachines, discovers alternate exfiltration domains via signed beautifulcastle commit messages, then creates a repository under the victim's own GitHub account and uploads encrypted credential blobs there.

Based on these findings, we searched for traces in GitHub repositories available to us. Here's what we found.

Two commits for beautifulcastle pointing to repositories named helloworm00/hello-world and helloworm00/my-first-repo:

  • April 20, 2026, 20:41:43 UTC
  • April 21, 2026, 17:53:49.

The second repository contains a new exfiltration domain: safely-irc-weblogs-few[.]trycloudflare[.]com

This exfiltration domain is valid. The corresponding signature can be verified with the RSA public key included in the obfuscated payload.

Four commits were found; all GitHub tokens are invalid as of this writing.

  • April 21, 2026, 22:52:50 UTC
  • April 22, 2026, 15:48:27 UTC (two commits at same timestamp)
  • April 23, 2026, 15:28:47 UTC

One commit contains a JSON document with the keys envelope, key, and token. The GitHub token is not valid.

One confirmed victim environment shows the attack began with the Checkmarx KICS Docker image compromise on April 22, 2026. Dependabot pulled the trojanized checkmarx/kics:latest tag during an automated dependency update, executing the payload in CI with access to repository secrets.

This confirms the cross-campaign pivot that TeamPCP has used throughout this wave: compromise a trusted CI tool, harvest runner credentials, use those credentials to propagate further. The Dependabot vector is particularly dangerous because it runs automatically, often with elevated permissions, and is rarely subject to the same scrutiny as developer-triggered workflow runs. GitGuardian recommends applying a cooldown to dependency updates.

*** This is a Security Bloggers Network syndicated blog from GitGuardian Blog - Take Control of Your Secrets Security authored by Guillaume Valadon. Read the original post at: https://blog.gitguardian.com/bitwarden-cli-gitguardian-views-on-helloworm00/


文章来源: https://securityboulevard.com/2026/04/bitwarden-cli-gitguardian-views-on-helloworm00/
如有侵权请联系:admin#unsafe.sh