Bitwarden CLI Compromised in Shai-Hulud Supply Chain Attack

Bitwarden's command-line interface was briefly compromised on April 22, 2026, when attackers hijacked the password manager's CI/CD pipeline to push a malicious npm package. The tainted release, @bitwarden/[email protected], was available for 93 minutes before Bitwarden detected and contained the incident.

The attack is linked to the ongoing Checkmarx supply chain campaign, with malware signatures matching the "Shai-Hulud" operation that previously targeted developer infrastructure in late 2025.

What Happened

Between 5:57 PM and 7:30 PM ET on April 22, an attacker exploited a compromised GitHub Action in Bitwarden's CI/CD pipeline. The malicious workflow came through the checkmarx/ast-github-action artifact, which had itself been backdoored as part of the broader Checkmarx campaign.

Once inside the pipeline, the attacker gained access to publishing credentials and pushed version 2026.4.0 to npm. The package contained a malicious preinstall hook in bw1.js that executed immediately when developers installed the CLI. This attack mirrors techniques we've seen in previous malware campaigns targeting developer infrastructure.

Malware Capabilities

The payload was significantly more sophisticated than typical npm malware. According to analysis from OX Security, the compromised package targeted six distinct credential surfaces:

• SSH keys and environment variables: Harvested ~/.ssh directories and .env files
• Shell history: Extracted command history containing secrets
• GitHub Actions secrets: Stole CI/CD credentials from workflow environments
• Cloud provider tokens: Captured AWS, GCP, and Azure authentication material
• AI coding assistant credentials: Specifically targeted Claude, Cursor, Codex CLI, Aider, and other AI tools

The malware used AES-256-GCM encryption to exfiltrate stolen data to audit.checkmarx[.]cx. As a fallback, it injected malicious workflows into victim repositories using stolen npm tokens, creating persistence even if the primary exfiltration channel was blocked.

One particularly concerning feature: the package contained self-propagating worm capabilities. Using stolen npm tokens, it could automatically publish infected versions of any packages the victim had permission to release, expanding the attack surface with each new infection.

Attribution

Security researchers identified the string "Shai-Hulud: The Third Coming" embedded in the malicious package, linking it to a supply chain campaign that previously targeted npm infrastructure. The campaign name references the sandworms from Dune, a fitting metaphor for malware that burrows through developer supply chains.

A since-suspended X account @TeamPCP appears connected to the operation, though definitive attribution remains unclear. The shared tooling with previous Shai-Hulud attacks complicates efforts to identify whether this is the same threat actor or copycat activity using leaked malware kits.

Impact Assessment

Bitwarden's security team estimates 334 developers downloaded the compromised package during the 93-minute window. The company emphasized that no end-user vault data was accessed or at risk—the attack targeted developer credentials, not Bitwarden's production infrastructure or user databases.

"The investigation found no evidence that end user vault data was accessed or at risk, or that production data or production systems were compromised," Bitwarden stated in a community forum post.

Why This Matters

Password managers are high-value targets precisely because they aggregate credentials. While this attack didn't reach user vaults, the compromise of Bitwarden's publishing pipeline demonstrates how supply chain attacks can target even security-focused organizations.

The explicit targeting of AI coding assistants is a new wrinkle. As developers increasingly use AI tools that have access to codebases, credentials stored in those tools become valuable targets. The malware specifically looked for authentication tokens from Claude Code, Cursor, and similar platforms—tools that often have broad repository access.

This incident also shows how a single compromised GitHub Action can cascade through dependent projects. The checkmarx/ast-github-action artifact was trusted by multiple organizations, and its compromise enabled attacks across several downstream targets. For more coverage of supply chain and malware threats, see our hacking news section.

Recommended Actions

For developers who installed @bitwarden/[email protected]:

1. Rotate all credentials immediately: SSH keys, npm tokens, GitHub tokens, cloud provider credentials
2. Audit package publish permissions: Check if any packages you maintain were modified
3. Review shell history: Assess what sensitive commands might have been captured
4. Check AI tool configurations: Rotate API keys for Claude, Cursor, or other AI coding assistants

For all developers:

1. Pin specific package versions: Avoid using floating version ranges in production
2. Enable npm provenance verification: Verify package signatures when available
3. Audit CI/CD dependencies: Review third-party GitHub Actions for signs of compromise
4. Monitor for the "Shai-Hulud" identifier: Watch for this string in dependency scanning alerts