Bitwarden CLI Compromised in Ongoing Checkmarx Supply Chain Campaign

Key Points:

• Bitwarden CLI version @bitwarden/cli@2026.4.0 was compromised through a malicious package containing "bw1.js," which was published via a compromised GitHub Action in Bitwarden's CI/CD pipeline as part of the ongoing Checkmarx supply chain attack campaign.
• The malicious code steals developer secrets including GitHub/npm tokens, .ssh keys, .env files, shell history, GitHub Actions, and cloud secrets, exfiltrating them to a fake Checkmarx domain and a GitHub repository; it also weaponizes stolen tokens to inject further malicious workflows.
• The attack leverages a preinstall hook to execute the credential stealer, targeting AI coding tool configurations and enabling persistent access to CI/CD pipelines through compromised developer tokens, posing a broad supply chain risk.
• Bitwarden confirmed the incident occurred during a brief window on April 22, 2026, affecting only the npm distribution path for the CLI; no end-user vault data or production systems were compromised, and the malicious package has been removed.
• The threat actor behind the attack is suspected to be TeamPCP, whose X account was suspended; the campaign shows evolving tactics including public exfiltration of data to GitHub repositories and avoidance of execution on systems with Russian locale settings.