Bitwarden CLI Compromised in Checkmarx Supply Chain Attack
Original: Bitwarden CLI compromised in ongoing Checkmarx supply chain campaign
Why This Matters
Major password manager compromise demonstrates sophistication of supply chain attacks
Socket researchers discovered Bitwarden CLI version 2026.4.0 was compromised through a GitHub Actions supply chain attack. The malicious code was embedded in bw1.js file, targeting credentials and secrets through CI/CD pipelines.
Socket's security team identified that Bitwarden CLI package @bitwarden/cli 2026.4.0 was compromised as part of the ongoing Checkmarx supply chain campaign. The attack leveraged a compromised GitHub Action in Bitwarden's CI/CD pipeline, affecting the open source password manager used by over 10 million users and 50,000 businesses. The malicious payload was contained in bw1.js file and uses the same C2 endpoint (audit.checkmarx.cx/v1/telemetry) as other attacks in this campaign. The malware harvests GitHub tokens, AWS/Azure/GCP credentials, npm configurations, SSH keys, and environment variables. It creates public repositories with Dune-themed names for data exfiltration and includes a Russian locale kill switch. Only the npm CLI package was affected, not Chrome extensions or other distributions.