Bitwarden CLI compromised in ongoing Checkmarx supply chain campaign
TL;DR Highlight
Bitwarden CLI npm package delivers malware via GitHub Actions, stealing user credentials.
Who Should Read
Developers and DevOps engineers installing npm packages in CI/CD pipelines or using the Bitwarden CLI, especially teams automating dependency installation in GitHub Actions workflows.
Core Mechanics
- The affected version, @bitwarden/cli 2026.4.0, had malicious code inserted into the bw1.js file. Attackers compromised Bitwarden’s GitHub Actions CI/CD pipeline to inject the payload into build artifacts.
- This incident is part of the Checkmarx supply chain campaign—a series of attacks targeting the npm ecosystem—and shares the same C2 endpoint (audit.checkmarx[.]cx/v1/telemetry) and payload structure as previously analyzed mcpAddon.js.
- The malicious payload scrapes the memory of GitHub Actions Runners to steal GitHub tokens, AWS credentials from ~/.aws/ files and environment variables, Azure/GCP/npm tokens from azd·gcloud·~/.npmrc, and even Claude/MCP configuration files.
- Stolen npm tokens are used to find other npm packages with write access, injecting malicious code into the preinstall hook for redistribution. Public repositories on GitHub are also created with Dune novel-themed names ({word}-{word}-{3-digit number}) to commit encrypted results.
- A Russian locale killswitch causes the malware to silently exit if the system locale starts with 'ru', checking Intl.DateTimeFormat().resolvedOptions().locale and the LC_ALL, LC_MESSAGES, LANGUAGE, and LANG environment variables.
- Because the malicious payload executes during the npm install preinstall hook, existing security practices of scanning code after installation are ineffective. CI/CD environments with automated installation are particularly vulnerable due to short exposure windows.
- Impact was limited as the Bitwarden CLI does not auto-update, with approximately 334 downloads affected. Browser extensions, MCP servers, and other official distributions remain unaffected.
- The payload injects itself into ~/.bashrc and ~/.zshrc to maintain persistence after shell restarts, and incorporates ideological branding from Dune novels ('Shai-Hulud', 'Butlerian Jihad')—a departure from previous Checkmarx campaigns.
Evidence
- "Practical advice was shared that setting a minimum release age for npm package installations can defend against such attacks. Setting min-release-age=7 (days) in .npmrc (npm 11.10+) could have prevented this package (~19 hours to discovery/deprecation) and previous quickly-removed cases like axios and ua-parser-js."
How to Apply
- If using npm/pnpm/bun/uv, add a minimum release age to your package manager configuration. Set min-release-age=7 in ~/.npmrc, minimum-release-age=10080 (minutes) in pnpm rc, and minimumReleaseAge = 604800 (seconds) in ~/.bunfig.toml to prevent newly deployed malicious packages from automatically installing.
- In CI/CD pipelines, pin package versions in package.json without the ^ range and commit the lockfile. For critical tools like Bitwarden CLI, always pin versions.
- If currently using Bitwarden CLI, check CI logs for use of the affected version (2026.4.0) and immediately rotate any secrets (GitHub tokens, AWS/GCP/Azure credentials, npm tokens, SSH keys) potentially exposed in that workflow. Refer to the Bitwarden community for the timeframe of compromise.
- If using GitHub Actions, pin third-party Action versions to SHA hashes and remove unnecessary secret access permissions to minimize the blast radius of a compromise.
Code Example
# ~/.npmrc (npm 11.10+ required)
min-release-age=7 # Unit: days
# ~/Library/Preferences/pnpm/rc
minimum-release-age=10080 # Unit: minutes
# ~/.bunfig.toml
[install]
minimumReleaseAge = 604800 # Unit: seconds
# ~/.config/uv/uv.toml (Python uv package manager)
exclude-newer = "7 days"Terminology
Related Papers
Show HN: ctx – Search the coding agent history already on your machine
Claude Code, Cursor, Codex 등 코딩 에이전트가 이전 세션의 논의·결정·실패 시도를 잊지 않도록 SQLite로 인덱싱해 재사용할 수 있게 해주는 오픈소스 CLI 도구다.
Micro-Agent: Beat Frontier Models with Collaboration Inside Model API
vLLM 팀이 단일 모델 API 호출 뒤에서 여러 모델이 협업하는 'Micro-Agent' 개념을 공개했습니다. 별도의 에이전트 코드 없이 라우터 레이어에서 모델 조합을 실행해 GPT-4급 결과를 더 저렴하게 낼 수 있다는 아이디어입니다.
Ornith-1.0: self-improving open-source models for agentic coding
Gemma 4와 Qwen 3.5를 기반으로 파인튜닝한 코딩 특화 오픈소스 모델로, RL(강화학습)을 통해 스캐폴드(에이전트 실행 구조)까지 함께 최적화하는 방식을 주장하지만, 커뮤니티에서는 벤치마크 과최적화에 불과하다는 의심을 받고 있다.
Entity Binding Failures in Tool-Augmented Agents
AI 에이전트가 올바른 도구를 선택해도 잘못된 대상에 실행하는 'Entity Binding 실패' 문제를 정의하고, 이를 막는 실행 정책을 평가한 논문.
Herdr: Agent multiplexer that lives in your terminal
여러 AI 코딩 에이전트(Claude, Codex 등)를 하나의 터미널에서 동시에 실행·관리할 수 있는 Rust 기반 오픈소스 툴로, tmux처럼 세션이 유지되고 SSH로 원격 접속도 가능해 멀티 에이전트 워크플로우를 크게 단순화해준다.
Ornith-1.0: Self-scaffolding LLMs for agentic coding
모델이 문제 풀이 전략(scaffold)을 직접 생성하고 개선하는 자기강화 학습 프레임워크를 적용한 오픈소스 코딩 특화 LLM으로, 9B 소형 모델부터 397B 대형 모델까지 라인업을 갖추고 SWE-Bench 등 주요 벤치마크에서 Claude Opus 4.7을 능가하는 성능을 보여줬다.
Related Resources
- Original Article: Bitwarden CLI Compromised in Ongoing Checkmarx Supply Chain Campaign
- Bitwarden Official Statement
- rbw: A Bitwarden CLI alternative written in Rust
- DepsGuard: Package Manager Security Configuration Helper
- Cooldowns.dev: Package Release Cooldown Setting Tool
- The Install Was the Attack (AgentSH Blog)