Security firm Socket uncovered that the Bitwarden command‑line client was compromised through a malicious npm package labeled @bitwarden/cli2026.4.0. The payload, hidden in a file called bw1.js, was injected via a hijacked GitHub Action in Bitwarden’s CI/CD pipeline, mirroring the technique used across the broader Checkmarx supply‑chain operation. Over 10 million users and thousands of enterprises rely on the manager, making the breach especially concerning.

Investigators traced the malicious code to a shared C2 endpoint (audit.checkmarx.cx) and noted that the script harvested GitHub tokens, cloud credentials, SSH keys, and npm configuration files before exfiltrating data through the GitHub API and npm registry. The malware also creates public repositories with Dune‑themed names, embeds a Russian‑locale kill switch, and installs a lock file to prevent concurrent execution. These indicators differentiate this variant from earlier Checkmarx samples while confirming a common infrastructure.

Socket advises anyone who installed the tainted package to delete it immediately, rotate all exposed secrets, and audit CI logs for unauthorized workflow files or repository creation. Reviewing npm publish histories for unexpected pre‑install hooks and scanning runner environments for the lock file or Bun interpreter usage can help contain the incident. Prompt remediation will stop further credential leakage.