Executive Summary
Security researchers from Socket have discovered that version 2026.4.0 of Bitwarden CLI has been compromised through a poisoned GitHub Actions workflow. This incident is part of the broader Checkmarx supply chain campaign and specifically impacts the npm distribution used by developers and automated build environments. The malicious payload executes credential-harvesting routines targeting cloud service providers, SSH keys, and GitHub personal access tokens. Organizations using the affected CLI tool must immediately rotate all secrets and audit their repositories for unauthorized staging repositories.
Technical Analysis
The malicious code resides within bw1.js and utilizes the Bun v1.3.13 interpreter to execute a secondary Python memory-scraping script targeting the GitHub Actions Runner Worker. This script extracts sensitive credentials from environment variables and configuration files for AWS, Azure, GCP, and the npm registry. Exfiltration occurs through a C2 endpoint at audit.checkmarx[.]cx/v1/telemetry and the creation of rogue public GitHub repositories using encrypted commits with markers such as “LongLiveTheResistanceAgainstMachines.”
The malware implements a thematic branding strategy, identifying compromised data stores with names like “Shai-Hulud” and including an ideological manifesto within the payload. To ensure persistence, the script injects its execution string into the victim’s ~/.bashrc and ~/.zshrc shell profiles. A hardcoded lock file located at /tmp/tmp.987654321.lock prevents concurrent instances from running on a single host. The malware also features a geographic kill switch that halts execution if the system locale is set to Russian.
This sophisticated orchestration suggests a highly motivated operator leveraging shared TeamPCP infrastructure to conduct large-scale identity and secret harvesting. These operational signatures indicate an evolution in the campaign’s public posture toward more explicit ideological branding.
Indicators of Compromise
Socket has provided the indicators of compromise, which can be found below:
Malicious Package
- @bitwarden/cli2026[.]4.0
Network Indicators
- 94[.]154[.]172[.]43
- https[:]//audit.checkmarx[.]cx/v1/telemetry
File System Indicators (Victim Package Compromise)
- /tmp/tmp.987654321[.]lock
- /tmp/_tmp_<Unix Epoch Timestamp>/
- package-updated[.]tgz
