好的,我现在需要帮用户总结一篇文章的内容,控制在100字以内。用户的要求是直接写描述,不需要特定的开头。 首先,我通读了文章,了解主要事件:Checkmarx供应链攻击影响了Bitwarden的npm分发路径。Bitwarden CLI的一个版本被植入恶意代码,通过GitHub Actions传播。 接下来,我需要提取关键信息:受影响的版本是2026.4.0,恶意代码隐藏在bw1.js中,利用GitHub Actions漏洞。攻击者窃取了各种敏感数据,并通过伪造的Checkmarx域名进行数据外泄。 然后,我注意到攻击手法包括供应链蠕虫和 credential harvesting,以及利用被盗的GitHub和npm凭证传播。Bitwarden已经移除了恶意包,并确认没有影响到用户的存储数据。 最后,我需要将这些信息浓缩到100字以内,确保涵盖事件、影响、原因和应对措施。避免使用复杂的术语,保持简洁明了。 </think> Checkmarx供应链攻击影响Bitwarden npm分发路径。@bitwarden/cli 2026.4.0版本通过受损GitHub Action植入恶意代码bw1.js。该代码窃取GitHub/npm令牌、SSH密钥、.env数据等敏感信息,并将其外泄至伪造Checkmarx域名。Bitwarden已移除恶意包并修复漏洞。 2026-4-24 09:34:4 Author: securityaffairs.com(查看原文) 阅读量:5 收藏
Checkmarx supply chain attack impacts Bitwarden npm distribution path
Bitwarden CLI was hit by the Checkmarx supply chain attack. Version 2026.4.0 shipped malicious code in bw1.js via a compromised GitHub Action.
Bitwarden CLI has been compromised as part of the ongoing Checkmarx supply chain campaign, researchers warn. The affected version, @bitwarden/cli 2026.4.0, contained malicious code hidden in the bw1.js file. The breach likely stemmed from a compromised GitHub Action in Bitwarden’s CI/CD pipeline, mirroring tactics seen in other attacks in this campaign.
The compromised @bitwarden/[email protected] package introduced a malicious preinstall hook that triggers automatically during npm install, requiring no user interaction. This hook executes bw_setup.js, a cross-platform loader that identifies the victim’s system and downloads the legitimate Bun JavaScript runtime from GitHub to run the next stage.
The second stage, bw1.js, is a 10 MB heavily obfuscated payload that, once decoded, reveals a sophisticated credential harvester and self-propagating supply chain worm. Its behavior closely matches previous Shai-Hulud campaigns, even embedding the string “Shai-Hulud: The Third Coming” for its exfiltration repository. The malware uses Dune-themed naming for stolen data repositories and includes an anti-AI manifesto it attempts to write into shell configuration files.
Attackers used stolen GitHub tokens to add malicious GitHub Actions workflows that capture secrets during runs. They also leveraged stolen npm credentials to publish infected package versions, spreading malware downstream. Researcher Adnan Khan says the Bitwarden CLI was likely released via this workflow, marking a rare compromise of NPM trusted publishing.
The malware steals sensitive data by scanning SSH keys, cloud credentials (AWS, GCP, Azure), npm tokens, Git configs, .env files, and shell history. It also pulls secrets from cloud managers using existing access. Stolen data is sent to a primary fake Checkmarx domain, with GitHub commits used as fallback C2.
JFrog researchers reports the rogue package version steals GitHub and npm tokens, SSH keys, .env data, shell history, CI secrets, and cloud credentials via a preinstall hook. It exfiltrates data to a fake Checkmarx domain and falls back to GitHub commits if needed.
— JFrog Security (@JFrogSecurity) April 23, 2026The Checkmarx TeamPCP campaign has now spread to npm! Package @bitwarden/cli (78K weekly downloads) v2026.4.0 steals GitHub/npm tokens, .ssh, .env, shell history, GitHub Actions and cloud secrets, then exfiltrates the data to private domains & as GitHub commits
Payload looks… pic.twitter.com/u9XouFlBBg
The malware targets developer tools and AI coding configs, encrypts stolen data with AES-256-GCM, and abuses stolen GitHub tokens to inject malicious workflows and extract CI/CD secrets.
“The malware scans a hardcoded list of high-value credential files on the victim’s machine” reads the report published by Aikido Security. “Beyond local files, the malware also runs collectors for AWS SSM Parameter Store, AWS Secrets Manager, Azure Key Vault, and GCP Secret Manager using ambient cloud credentials. Anyone running this on a cloud-connected developer machine or CI runner loses their entire secrets infrastructure.”
The malware spreads using Shai-Hulud-style tactics. Stolen data is uploaded to a public GitHub repo created with the victim’s account. If the victim lacks org membership, their GitHub token is also exposed in a public commit, letting other infected systems reuse it. For org members, tokens remain hidden inside encrypted exfiltrated data instead.
Aikido released Indicators of Compromise (IOCs) for this campaign.
Bitwarden confirmed the incident was caused by a compromised npm distribution path during the Checkmarx campaign. The malicious @bitwarden/[email protected] package was available only briefly on April 22, 2026. The company found no evidence of compromised vault or production data. Access was revoked, the package removed, and fixes applied. Only users who installed it during that window were affected, and a CVE is being issued.
“The Bitwarden security team identified and contained a malicious package that was briefly distributed through the npm delivery path for @bitwarden/[email protected] between 5:57 PM and 7:30 PM (ET) on April 22, 2026, in connection with a broader Checkmarx supply chain incident.
The investigation found no evidence that end user vault data was accessed or at risk, or that production data or production systems were compromised. Once the issue was detected, compromised access was revoked, the malicious npm release was deprecated, and remediation steps were initiated immediately.” reads the statement released by Bitwarden. “The issue affected the npm distribution mechanism for the CLI during that limited window, not the integrity of the legitimate Bitwarden CLI codebase or stored vault data.
Users who did not download the package from npm during that window were not affected. Bitwarden has completed a review of internal environments, release paths, and related systems, and no additional impacted products or environments have been identified at this time. A CVE for Bitwarden CLI version 2026.4.0 is being issued in connection with this incident.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Bitwarden)
如有侵权请联系:admin#unsafe.sh