Bitwarden CLI (2026)¶
The Lesson: A password manager's CLI is the most concentrated bag of credentials on a developer's machine. When the CI/CD pipeline that ships it gets compromised, every install is an opportunity to harvest tokens, keys, and secrets at scale — and the attackers will use a vendor-lookalike C2 domain so your SIEM scrolls right past it.
Trust the Tool That Holds Your Secrets
Developers install @bitwarden/cli because they're trying to do the right thing — get secrets out of .env files, out of shell history, out of ~/Notes.txt. On April 23, 2026, that careful instinct shipped a credential harvester to anyone running npm install -g @bitwarden/cli@2026.4.0. The package was real. The publisher was real. The CI pipeline that built it had been compromised.
What Happened¶
On or around April 23, 2026, Socket's research team flagged @bitwarden/cli@2026.4.0 on npm as malicious.1 The package was published from Bitwarden's legitimate npm account — same name, same scope, same publisher — but the build that produced it had been tampered with.
Bundled into the published artifact was a file named bw1.js. It didn't replace any of the legitimate CLI functionality. It rode along with it. When a developer or CI runner installed @bitwarden/cli@2026.4.0, the malicious payload executed alongside the genuine tool.
The attack surface here is unique. The Bitwarden CLI is, by design, a tool that holds secrets. Developers install it specifically to authenticate with cloud providers, decrypt configuration files, and pull SSH keys out of vaults at build time. A compromised version doesn't just steal some credentials — it ships into a context that's already authenticated to everything that matters.
The Payload¶
bw1.js was a credential harvester targeting exactly the assets a developer machine and a CI runner are most likely to hold:1
- Cloud provider credentials — AWS, Azure, GCP keys from environment variables and config files
- GitHub tokens — from
~/.config/gh,GITHUB_TOKEN,GH_TOKEN - npm tokens —
~/.npmrcandNPM_TOKENfor downstream package publishing - SSH private keys —
~/.ssh/id_*, with no preference for type
Exfiltration ran two paths in parallel:
- C2 exfiltration to
audit.checkmarx[.]cx/v1/telemetry - GitHub API abuse — using the harvested token to create public repositories under the victim's account, with stolen credentials embedded in commits
The first path looks legitimate at a glance. Checkmarx is a real security vendor. An analyst skimming network logs sees checkmarx and assumes the SAST scanner is calling home. But the real Checkmarx domain is checkmarx.com; this one is checkmarx.cx, registered on a Christmas Island TLD that almost no defender is paying attention to. The hostname is the social engineering.
The second path turns each compromised developer into a public, indexed, GitHub-hosted credential leak. Anyone scanning for exposed AWS keys (and there are entire industries doing exactly that) gets a fresh feed.
The Propagation¶
Beyond credential harvest, bw1.js had a second job: it used harvested npm tokens to inject malicious code into other npm packages those tokens could publish to.1 The pattern matches what made event-stream and Axios so damaging — once you compromise a developer's publish credentials, you don't have to attack each downstream package individually. You inherit them.
This is a worm. A slow, manual, GitHub-Action-shaped worm — but a worm.
The Vector¶
Socket attributes the initial compromise to "a compromised GitHub Action in Bitwarden's CI/CD pipeline."1 The specific action was not publicly named at the time of disclosure. Whether Bitwarden ran a malicious third-party action (the tj-actions shape) or a legitimate action that was itself compromised upstream (the Trivy shape) wasn't disclosed in the initial writeup.
What's confirmed: this was not a maintainer account takeover. Nobody phished a Bitwarden engineer. The publish credentials weren't stolen. The pipeline was the entry point.
This is the same shape as Trivy/Cisco a few weeks earlier, and the same shape as tj-actions before that. Three incidents, three different security-adjacent vendors, one pattern: the GitHub Actions ecosystem is where the supply chain is being attacked right now, and the fix-it scanners and password managers running in that ecosystem are some of the most attractive targets in it.
The Broader Campaign¶
@bitwarden/cli@2026.4.0 wasn't the only artifact in this campaign. Socket's writeup positions it as part of a broader operation including malicious Checkmarx KICS images and a separate cluster of suspicious VS Code extension releases.1 The C2 hostname pattern (*.checkmarx.cx) ties the cluster together: the attackers chose a name that gives them plausible cover regardless of which security tool they're impersonating in any given victim's environment.
The targets so far are all security or developer tooling — KICS, Bitwarden CLI, code extensions. These are exactly the categories most likely to:
- Run with elevated privileges
- Be installed on developer and CI machines that hold credentials
- Generate enough background network noise that C2 traffic blends in
If you're picking which package to compromise to maximize blast radius into developer infrastructure, you don't pick is-array. You pick the password manager.
Why It Mattered¶
The same CI/CD compromise pattern keeps working.
We've now watched this exact attack shape land three times in eight weeks: tj-actions (March 2025), Trivy/Cisco (early April 2026), Bitwarden CLI (late April 2026). Different victims, different scopes, same primitive: the GitHub Action that builds the artifact has more privilege than the artifact itself, and compromising it means you publish from the victim's account with the victim's keys, through the victim's pipeline, with the victim's signature.
There is no SBOM that catches this. There is no npm audit that flags it. The package metadata is correct. The publisher is correct. Every signal a downstream consumer can check is honest. The lie is buried in the build.
Vendor-lookalike domains evade casual log review.
audit.checkmarx[.]cx is doing real work for the attacker. Most analysts and most automated detection systems are tuned to flag obvious badness — IPs in known threat-feed ranges, domains registered yesterday, suspicious TLDs like .tk or .xyz. A .cx domain that contains the name of a security vendor your company actually pays for is none of those things. It looks like one of the dozen first-party telemetry endpoints your security stack already calls.
If you're hunting C2, the move is no longer "block known bad." It's "alert on any domain that looks like a vendor but isn't on the actual vendor's published infrastructure list."
Password manager CLIs concentrate damage.
Bitwarden CLI is the right tool for keeping secrets out of .env files. That makes a compromised Bitwarden CLI exactly the wrong tool to have on a machine. The mitigation isn't "don't use a password manager" — it's "don't trust any single version of your secret-handling tooling without pinning, signature verification, and a release artifact you can reason about."
# Reflexive: gets whatever's published right now
npm install -g @bitwarden/cli
# Better: pin to a known-good version, audit before bumping
npm install -g @bitwarden/cli@2026.3.0
# Best: install via your OS package manager or a checksum-verified release artifact
# from a channel you trust more than npm's "whatever was last pushed"
The attack window for 2026.4.0 may have been short, but the half-life of a credential harvested from a CI runner is months. Tokens get rotated lazily, AWS keys get pinned in .aws/credentials and forgotten, SSH keys land in authorized_keys files on production hosts and stay there. "We caught it within hours" doesn't undo the harvest.
Immediate Response¶
If you ran npm install against @bitwarden/cli@2026.4.0 between its publication and its removal:1
- Treat any credentials reachable from that environment as compromised
- Rotate AWS, Azure, GCP, GitHub, and npm tokens
- Replace SSH keys held in
~/.ssh/ - Audit your GitHub account for unauthorized public repositories — the malware created them
- Check CI logs for connections to
*.checkmarx.cx - Force-pull from any internal npm packages that token had publish rights to
The "absence of evidence" problem from Axios applies here too: if the malware exfiltrated cleanly and went quiet, your post-hoc scan finds nothing. That's not safety; that's silence.
The Broader Pattern¶
| tj-actions (2025) | Trivy / Cisco (2026) | Bitwarden CLI (2026) | |
|---|---|---|---|
| Compromise vector | Malicious tag rewrite | Compromised GitHub Action + stolen PAT | Compromised GitHub Action |
| Distribution channel | GitHub Actions | GitHub releases + Actions | npm |
| Payload target | CI secrets in workflow logs | Cisco source trees + secrets | Developer/CI credentials |
| C2 evasion | Public workflow logs (no C2 needed) | None disclosed | Vendor-lookalike domain |
| Worm capability | None | None | Yes — via harvested npm tokens |
Each incident pushes the pattern further. tj-actions weaponized tags. Trivy/Cisco weaponized actions and PATs. Bitwarden weaponized actions, npm publish flow, and added a propagation primitive that turns each compromise into a launch pad for the next.
The defenders who are catching these (StepSecurity on Axios, Socket on Bitwarden) are doing so within hours. That's encouraging. The attackers picking these targets clearly understand that a few hours is enough. That's the part that should worry you.
The Pattern Nobody Noticed Twice
Three CI/CD pipeline compromises against security-adjacent vendors in eight weeks. The first one might be a coincidence. The second one is a pattern. By the third one, you should be asking which of the GitHub Actions in your .github/workflows/ directory has the privilege to publish your packages, sign your releases, or push to your registries — and what your blast radius would be if that action's maintainer woke up to a compromised account tomorrow morning.
Pin actions to commit SHAs, not tags. Audit the privilege of every step in your release pipeline. Treat your CI secrets as already-leaked and rotate aggressively. And if you're a security vendor, assume you are now a Tier 1 target — because every signal in this campaign says you are.
Timeline¶
| Date | Event |
|---|---|
| ~Apr 2026 | GitHub Action in Bitwarden's CI/CD pipeline is compromised; specifics undisclosed |
| Apr 2026 | @bitwarden/cli@2026.4.0 published to npm with bw1.js credential harvester bundled |
| Apr 23, 2026 | Socket Research Team publicly identifies the package as malicious |
| Apr 23, 2026 | Socket links the compromise to a broader campaign also hitting Checkmarx KICS images and VS Code extension releases |
| Apr 2026 | Mitigation guidance issued: rotate credentials, audit GitHub for unauthorized repos, scan CI logs for *.checkmarx.cx |