Bitwarden CLI Trojanized: TeamPCP's 'Shai-Hulud' Worm Steals Developer Secrets in NPM Supply Chain Attack

Critical Supply Chain Breach: Bitwarden CLI Hijacked via Compromised GitHub Actions

Bitwarden CLI, the command-line interface for the password manager Bitwarden, has reportedly been compromised as part of a newly discovered and ongoing Checkmarx supply chain campaign, according to security research from JFrog and Socket published on April 23, 2026. This incident represents a watershed moment for supply chain security: this is the first known compromise of a package using npm's trusted publishing mechanism, which was designed to eliminate long-lived tokens.

The attack demonstrates how threat actors are evolving their tactics to exploit even the most sophisticated security mechanisms. Bitwarden's security team identified and contained a malicious package that was briefly distributed through the npm delivery path for @bitwarden/cli@2026.4.0 between 5:57 PM and 7:30 PM (ET) on April 22, 2026. During that 93-minute exposure window, the malicious package was available to over 70,000 weekly npm downloads and more than 250,000 monthly downloads of the CLI.

The Attack Vector: GitHub Actions Compromise and OIDC Token Abuse

The attack appears to have leveraged a compromised GitHub Action in Bitwarden's CI/CD pipeline, consistent with the pattern seen across other affected repositories in this campaign. The methodology reveals sophisticated understanding of modern CI/CD security assumptions.

Modern npm publishing often uses \"trusted publishing\" (OpenID Connect from CI to npm): a GitHub Actions workflow allowed by @bitwarden's npm org can obtain a short-lived token to npm publish as @bitwarden/cli without storing a long-lived API key in a repo secret for every run. If an attacker can trigger a publish with a malicious artifact, or steal and reuse CI-bound credentials, the npm version can still show the right scope and maintainer signals until someone diffs the artifact.

This attack chain bypassed the theoretical security improvements of OIDC-based trusted publishing by compromising the GitHub Actions workflow itself. On a non-main linear ref, publish-cli.yml was edited five times in a row so a prebuilt scripts/cli-2026.4.0.tgz could reach npm with id-token: write (OIDC), indicating the attackers had repository write access.

Malicious Payload: The 'Shai-Hulud' Worm Returns

The Shai-Hulud worm is back on NPM, this time targeting the @bitwarden/cli package. It extracts keys, credentials, and cloud configurations, then uploads them encrypted to public GitHub repositories. The string \"Shai-Hulud: The Third Coming\" is embedded in the bitwarden/cli package, indicating this is likely the next phase of the Shai-Hulud saga.

The malicious payload, embedded in a file called bw1.js, ran during package installation and harvested GitHub and npm tokens, SSH keys, environment variables, shell history, and cloud credentials. The technical sophistication is notable: the trojanized Bitwarden CLI version 2026.4.0 contained a custom loader called bw_setup.js that checks if the bun package manager is installed and then uses it to execute bw1.js. If bun doesn't exist, it is downloaded and installed from GitHub.

Data exfiltration occurred through multiple channels. According to JFrog, the stolen data was exfiltrated to attacker-controlled domains and committed back to GitHub repositories as a persistence mechanism. More concerning, GitHub is being used as a remote C2 server for data exfiltration, proving to be an effective technique for threat actors, as traffic to github.com is typically not flagged by security tools and cannot be traced back to a domain belonging to the threat actor. The threat actors are now using asymmetric encryption to conceal exfiltrated data, ensuring only they can decode it once uploaded to GitHub.

Threat Actor Attribution: TeamPCP's Escalating Campaign

The attack appears to be related to the recent supply chain compromise that impacted the Docker images and VS Code extensions of the KICS infrastructure-as-code vulnerability scanner from security firm Checkmarx. The group alleged to be involved, TeamPCP, has been responsible for a wave of supply chain attacks that have impacted open-source projects in recent months, including the Trivy security scanner.

TeamPCP has chained similar attacks against Trivy, Checkmarx, and LiteLLM since March 2026, targeting developer tools that sit deep in build pipelines. This represents a deliberate strategy to compromise upstream tools that organizations embed deeply into their CI/CD processes.

The malware contains geolocation-based behavior: the malware's origin is potentially Russian — it does not execute if the Russian language is configured on the host machine, suggesting regional awareness or operational security measures by the threat actor.

Crypto Wallet Targeting and Extended Threat Scope

The incident has particular significance for cryptocurrency and fintech organizations. TeamPCP's broader campaign is separately confirmed to target crypto wallet data, including MetaMask, Phantom, and Solana wallet files. Many crypto teams use the Bitwarden CLI in automated CI/CD pipelines for secrets injection and deployments, creating a direct path from compromised build infrastructure to stolen cryptocurrency assets.

OX Security has observed real user information leaked by the malware. The infection is likely to spread further across NPM and GitHub as more machines are compromised over time.

Impact Assessment and Scope of Exposure

Bitwarden confirmed the incident and said it stemmed from the compromise of its npm distribution mechanism following the Checkmarx supply chain attack, but emphasized that no end-user data was accessed as part of the attack. The investigation found no evidence that end user vault data was accessed or at risk, or that production data or production systems were compromised.

However, the damage extends beyond Bitwarden's systems. Organizations that installed the malicious Bitwarden npm package should treat this incident as a credential exposure and CI/CD compromise event. Immediately remove the affected package from developer systems and build environments. Rotate any credentials that may have been exposed to those environments, including GitHub tokens, npm tokens, cloud credentials, SSH keys, and CI/CD secrets.

Anyone using @bitwarden/cli from NPM without a pinned version who installed it in the last 24 hours is affected. @bitwarden/cli has over 70k weekly downloads, and over 250k monthly downloads.

Incident Response and Detection Timeline

The response timeline highlights both the speed of modern supply chain attacks and detection capabilities. The malicious version 2026.4.0 of the npm package @bitwarden/cli was available on npm for roughly 1.5 hours, between 5:57 PM and 7:30 PM (ET) on April 22, 2026. Once the issue was detected, compromised access was revoked, the malicious npm release was deprecated, and remediation steps were initiated immediately.

Immediate Actions Required for Affected Organizations

After uninstalling the malicious version, clearing the npm cache, deleting bw1.js and bw_setup.js from the system, researchers recommend: Revoking all GitHub PATs present on affected systems, Rotating npm tokens and invalidating CI publishing tokens, Rotating AWS access keys and reviewing access to SSM and Secrets Manager, Reviewing Azure Key Vault audit logs and rotating affected secrets, Reviewing GCP Secret Manager access logs and rotating affected secrets, Inspecting GitHub Actions workflows and repository artifacts for unauthorized runs or branches.

Review GitHub for unauthorized repository creation, unexpected workflow files under .github/workflows/, suspicious workflow runs, artifact downloads, and public repositories matching the observed Dune-themed staging pattern ({word}-{word}-{3digits}). Check for the following keywords in newly published repositories if you believe you may be impacted: atreides cogitor fedaykin fremen futar gesserit ghola harkonnen heighliner kanly kralizec lasgun laza melange mentat navigator ornithopter phibian powindah prana prescient sandworm sardaukar sayyadina sietch siridar slig stillsuit thumper tleilaxu.

Systemic Implications for Supply Chain Security

This incident exposes fundamental weaknesses in the assumption that OIDC-based trusted publishing eliminates supply chain risk. The compromise of GitHub Actions workflows reveals that threat actors can exploit administrative access to CI/CD systems just as effectively as stolen long-lived tokens.

Shai-Hulud is one of many supply chain attacks occurring in 2026, and this trend shows no signs of slowing as threat actors accumulate more credentials and compromise more developers. Large-scale attacks through the NPM and PyPI registries could be avoided if stronger code review and guardrails were added during the package upload process. Failing to do so will only keep the door open for the next supply chain attack.

Your supply chain is only as strong as the weakest CI/CD credential. And those credentials are surprisingly easy to steal. Organizations should treat this incident as a watershed moment requiring fundamental rethinking of developer infrastructure security, supply chain validation, and the trustworthiness assumptions embedded in modern CI/CD platforms.