Bitwarden CLI Compromised in Ongoing Checkmarx Supply Chain Campaign

· ai-agents coding security · Source ↗

TLDR

  • Attackers injected malicious code into @bitwarden/cli 2026.4.0 via a compromised GitHub Action in Bitwarden’s CI/CD pipeline, targeting credentials across GitHub, AWS, Azure, GCP, npm, SSH, and Claude/MCP configs.

Key Takeaways

  • Malicious payload bw1.js shares C2 infrastructure with the earlier Checkmarx mcpAddon.js attack: same audit.checkmarx[.]cx/v1/telemetry endpoint, same gzip+base64 embedded Python memory-scraper.
  • Credential harvest scope is broad: GitHub Runner.Worker memory, ~/.aws/, azd, gcloud config, .npmrc, SSH keys, environment variables, and Claude/MCP config files.
  • Supply chain propagation mechanism: stolen npm tokens used to identify writable packages and republish them with injected preinstall hooks; GitHub Actions workflow files injected to capture repo secrets.
  • Russian locale kill switch exits silently if Intl.DateTimeFormat, LC_ALL, LC_MESSAGES, LANGUAGE, or LANG begins with ru.
  • Only the npm CLI package is affected; Bitwarden’s Chrome extension, MCP server, and other distributions are not compromised as of this report.

Hacker News Comment Review

  • Consensus on defense: pin exact npm dependency versions rather than relying on lockfiles with ^ ranges, since lockfile updates can silently pull in newer compromised versions; min-release-age=7 in .npmrc (requires npm 11.10+) would have blocked the 334 installs of the malicious version.
  • Distrust of GitHub Actions runs deep: commenters note that even pinning to a specific tag is insufficient if that action’s own dependencies are not themselves pinned, making the checkout action’s large npm dependency tree an inherent risk surface.
  • Local-first alternatives surfaced as a response: rbw (Rust Bitwarden CLI) and KeePass were cited as options with significantly smaller or no external dependency trees.

Notable Comments

  • @eranation: min-release-age=7 in .npmrc would have protected all 334 affected installs; the malicious version was live for ~19 hours before deprecation.
  • @latexr: Stopped using GitHub’s checkout action entirely after realizing tagged actions with untagged transitive deps can still be poisoned; now does the checkout manually.
  • @ef2k: Lockfiles give false confidence when ^ ranges are used – “when the lockfile gets updated, you can pull in newer versions you didn’t explicitly choose.”

Original | Discuss on HN

Related coverage