· 1 min read

Breaking: Bitwarden CLI Compromised in Checkmarx Supply Chain Attack

Bitwarden CLI compromised in ongoing Checkmarx supply chain campaign. Malicious version steals GitHub tokens, SSH keys, and cloud secrets via preinstall hook.

Breaking News — April 23, 2026

Bitwarden CLI has been compromised as part of the ongoing Checkmarx supply chain campaign, according to new findings from JFrog and Socket.

Key Details

  • Affected version: @bitwarden/cli@2026.4.0
  • Malicious file: bw1.js — included in package contents
  • Attack vector: Compromised GitHub Action in Bitwarden's CI/CD pipeline
  • Data stolen: GitHub/npm tokens, .ssh, .env, shell history, GitHub Actions and cloud secrets

How It Works

The malicious code is executed via a preinstall hook, resulting in the theft of local, CI, GitHub, and cloud secrets. Data is exfiltrated to private domains and as GitHub commits.

JFrog confirmed the rogue version steals credentials and exfiltrates them to attacker-controlled domains.

Impact

This is part of a broader Checkmarx supply chain campaign that has affected multiple popular developer tools. The attack leverages compromised CI/CD pipelines to inject malicious code into trusted packages.

Source: The Hacker News / JFrog / Socket

More from the Blog

Breaking: UK Warns of Chinese Hackers Using Hijacked Consumer Device Botnets

NCSC-UK warns China-linked hackers are using botnets of hijacked home routers and smart devices to hide malicious activity and evade detection.

Read more

Breaking: New GopherWhisper APT Abuses Outlook, Slack, Discord for Espionage

New state-backed APT GopherWhisper discovered using Go-based toolkit and legitimate platforms (Outlook, Slack, Discord) to target government entities.

Read more