Bitwarden CLI Compromised in Ongoing Checkmarx Supply Chain Campaign

Socket researchers discovered that Bitwarden CLI 2026.4.0 was compromised as part of a broader supply chain attack. The breach occurred after attackers exploited a GitHub Action in Bitwarden’s CI/CD pipeline to inject malicious code.
Bitwarden CLI Compromised via CI/CD Pipeline
Security researchers from Socket and Docker have uncovered a malicious injection in the Bitwarden Command Line Interface (CLI), a tool used by millions of developers and thousands of enterprises. The compromise is part of an ongoing supply chain campaign targeting the Checkmarx ecosystem.
The affected version is identified as @bitwarden/[email protected], with the malicious payload residing in a file named bw1.js published to the npm registry.
Attack Vector and Impact
The breach occurred after attackers successfully abused a GitHub Action within Bitwarden’s CI/CD pipeline. This allowed them to inject unauthorized code during the automated build process.
At this stage, the compromise appears limited to the npm package for the CLI. Bitwarden’s browser extensions, mobile apps, and desktop clients remain unaffected, according to current research data.
Technical Analysis: The "bw1.js" Payload
The bw1.js file shares infrastructure with previous Checkmarx-related malware. Key technical findings include:
- Data Exfiltration: The malware sends telemetry and stolen data to
audit.checkmarx[.]cx/v1/telemetry. - Obfuscation: It uses a custom
__decodeScrambledfunction with a specific seed to evade static analysis. - Credential Theft: The payload targets GitHub and npm tokens, potentially allowing attackers to hijack other repositories or publish further malicious updates.
- Persistence: It modifies shell profiles like
~/.bashrcand~/.zshrcto ensure the malicious code runs in future sessions.
Interestingly, the attack features heavy ideological branding inspired by Frank Herbert’s "Dune," including repository names like "Shai-Hulud" and debug strings referencing the "Butlerian Jihad."
Remediation and Guidance
Organizations that have installed the compromised package should treat the event as a full credential exposure. Recommended steps include:
- Immediate Removal: Uninstall
@bitwarden/[email protected]from all developer machines and build runners. - Secret Rotation: Rotate all potentially exposed credentials, including GitHub/npm tokens, cloud provider keys, and CI/CD secrets.
- System Audit: Check for the presence of the lock file
/tmp/tmp.987654321.lockand inspect shell profiles for unauthorized modifications. - Network Monitoring: Block and audit any outbound traffic to the known malicious domain
audit.checkmarx[.]cx.
Indicators of Compromise (IoCs)
- IP Address:
94[.]154[.]172[.]43 - C2 Endpoint:
https://audit.checkmarx[.]cx/v1/telemetry - Files:
/tmp/tmp.987654321.lock,bw1.js - Suspicious Keywords:
atreides,fremen,harkonnen,sandworm,melange,mentat.
This incident highlights the critical need for hardening CI/CD permissions and monitoring third-party package updates for unexpected changes in behavior.
Source: Hacker News
















