Bitwarden CLI Hit by Supply Chain Attack Through GitHub Actions

A supply chain attack targeting the Bitwarden CLI, a widely used command-line interface for the popular password manager.

The attackers exploited a GitHub Actions workflow within Bitwarden’s CI/CD pipeline to inject malicious code into its npm package, marking another escalation in the ongoing Checkmarx-related supply chain campaign.

Malicious Package and Impact Scope

Cybersecurity researchers at Socket have uncovered that the compromised package, identified as @bitwarden/cli version 2026.4.0, contains a hidden malicious payload embedded in a file named bw1.js.

Importantly, the incident is limited to the npm distribution of the CLI tool. Bitwarden’s browser extensions, including its Chrome extension, and other official releases remain unaffected.

This attack highlights the growing risks associated with software supply chains, particularly when automated pipelines like GitHub Actions are leveraged to distribute tampered packages at scale.

The injected malware functions as an aggressive credential harvester.

Once executed, it scans system memory and environment variables to extract sensitive data, including:

• GitHub authentication tokens
• Cloud credentials for AWS, Azure, and GCP
• npm configuration files and tokens
• SSH private keys

The malware communicates with a command-and-control (C2) endpoint linked to previous Checkmarx attacks, specifically infrastructure at 94.154.172.43 and audit.checkmarx.cx.

Interestingly, the payload includes a Russian locale-based kill switch. If the system locale or environment variables begin with “ru,” the malware terminates without executing, suggesting deliberate targeting restrictions.

Instead of traditional data exfiltration methods, the attackers used compromised GitHub accounts to create public repositories containing stolen data.

These repositories follow a distinct naming convention inspired by the sci-fi franchise Dune, using terms such as “fremen,” “sandworm,” and “mentat.”

Descriptions within these repositories include references like “Shai-Hulud: The Third Coming” and a “Butlerian Jihad” manifesto, indicating ideological or signature-based branding by the attackers.

To maintain persistence, the malware injects itself into shell profile scripts and uses a lock file (/tmp/tmp.987654321.lock) to prevent duplicate execution.

Indicators of Compromise (IOCs)

Security teams should watch for the following indicators:

• Malicious package: @bitwarden/cli 2026.4.0
• Network indicators: 94.154.172.43, https://audit.checkmarx.cx/v1/telemetry
• File artifacts: /tmp/tmp<timestamp>/, package-updated.tgz

Organizations using the affected package should treat this as a critical credential exposure incident.

Immediate actions include:

• Removing the compromised package from all systems and CI/CD pipelines
• Rotating all exposed secrets, including GitHub, cloud, npm, and SSH credentials
• Auditing GitHub accounts for unauthorized repositories, especially with Dune-themed names
• Reviewing npm packages for suspicious modifications or preinstall hooks
• Monitoring network activity for unusual outbound connections

For long-term resilience, organizations should enforce least-privilege access, adopt short-lived tokens, and harden GitHub Actions permissions to reduce supply chain attack risks.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google

The post Bitwarden CLI Hit by Supply Chain Attack Through GitHub Actions appeared first on Cyber Security News.