Bitwarden CLI npm package hijacked in Checkmarx-linked supply chain attack

A malicious version 2026.4.0 of the @bitwarden/cli npm package sat in the registry for roughly 90 minutes on April 22 before being pulled. The tampered package shipped a preinstall hook that fetched the Bun runtime if missing, then ran an obfuscated loader that scraped npm tokens, GitHub credentials, SSH keys, and AWS/Azure/GCP secrets from any host that installed it. Stolen data was AES-256-GCM encrypted and exfiltrated by creating public GitHub repositories under the victim’s account — repos tagged with the string ‘Shai-Hulud: The Third Coming,’ tying the operation to prior npm worm activity.

Bitwarden confirmed only its npm distribution channel was affected; vault data, production systems, and the legitimate CLI source were untouched. The intrusion path traces back to a compromised Checkmarx-related developer tool used inside Bitwarden’s CI/CD, which let attackers push the poisoned release through the npm delivery pipeline. Socket identified shared infrastructure with the Checkmarx breach disclosed a day earlier, including the same audit.checkmarx[.]cx telemetry endpoint, identical __decodeScrambled obfuscation with seed 0x3039, and matching gzip+base64 payload components. Both campaigns are attributed to TeamPCP, the actor behind the Trivy and LiteLLM compromises.

The payload is wormable: it uses harvested npm tokens to find other packages the victim can publish to and reinjects itself, with explicit targeting of CI/CD secrets to broaden reach. Anyone who pulled the bad version should treat the host as fully compromised and rotate every credential it touched — npm, GitHub, SSH, and cloud provider keys first.