The Bitwarden CLI npm package was compromised via a supply chain attack in version 2026.4.0, where a malicious file (bw1.js) was added to steal credentials from multiple services, read GitHub Actions runner memory, and establish persistence. Users of the affected version should immediately rotate exposed credentials and audit their CI logs and repositories. The article notes this is currently limited to the npm CLI package and not the browser extensions or main applications.
Bitwarden CLI npm package got compromised today, looks like part of the ongoing Checkmarx supply chain attack If you’re using @bitwarden/cli version 2026.4.0, you might want to check your setup From what researchers found: - malicious file added (bw1.js) - steals creds from GitHub, npm, AWS, Azure, GCP, SSH, env vars - can read GitHub Actions runner memory - exfiltrates data and even tries to spread via npm + workflows - adds persistence through bash/zsh profiles Some weird indicators: - calls to audit.checkmarx.cx - temp file like /tmp/tmp.987654321.lock - random public repos with dune-style names (atreides, fremen etc.) - commits with “LongLiveTheResistanceAgainstMachines” Important part, this is only the npm CLI package right now, not the extensions or main apps If you used it recently: probably safest to rotate your tokens and check your CI logs and repos Source is Socket research (posted a few hours ago) Curious if anyone here actually got hit or noticed anything weird submitted by /u/ApprehensiveEssay222 [link] [comments]