🎯A bad guy hacked into a tool that developers use to build software, stealing secret codes that can unlock important accounts. If you used this tool recently, you need to change your passwords and check for any strange activity.
What Happened
Bitwarden CLI version 2026.4.0 has been compromised in connection with the ongoing Checkmarx supply chain attack, as confirmed by security researchers from JFrog and Socket. The attack involved the injection of a malicious file named 'bw1.js' into the package, which is widely used by over 10 million users and more than 50,000 businesses. The malicious code was published via a compromised GitHub Action in Bitwarden's CI/CD pipeline, mirroring tactics seen in other recent supply chain attacks.
Who's Affected
The breach potentially exposes millions of users and thousands of enterprises to credential theft. Users who downloaded the affected package during the brief window of availability are at risk. However, Bitwarden has confirmed that its Chrome extension, MCP server, and other official distribution channels remain uncompromised.
What Data Was Exposed
The malicious payload is designed to harvest a wide range of sensitive credentials, including: Additionally, the attackers created public repositories under victim accounts to exfiltrate the stolen data, employing a unique naming convention inspired by the Dune universe. The payload also has a kill switch that prevents execution on systems with a Russian locale, indicating a sophisticated level of planning and targeting.
GitHub tokens via
AWS credentials from
Azure and GCP tokens
npm tokens from
SSH keys and
What You Should Do
Organizations that installed the compromised package should treat this incident as a full credential exposure event. Immediate actions include: Long-term security measures should focus on locking down token scopes, enforcing short-lived credentials, and implementing least-privilege configurations for GitHub Actions to prevent similar incidents in the future. Security teams are encouraged to stay vigilant and continuously monitor for any signs of compromise related to this incident.
Do Now
- 1.Removing the affected package from all systems
- 2.Rotating all potentially exposed credentials, including GitHub tokens, npm tokens, and cloud service credentials
Do Next
- 3.Auditing GitHub for unauthorized repository creation and unexpected workflow files
- 4.Monitoring for unusual outbound connections to the identified command and control (C2) endpoint: audit.checkmarx[.]cx/v1/telemetry
This incident highlights the vulnerabilities present in CI/CD pipelines and the importance of securing development environments against supply chain attacks. Organizations must adopt a proactive security posture to safeguard sensitive data.
