Feed
CriticalPublished 22 Apr 20261 package · 1 version

@bitwarden/cli 2026.4.0 hijacked via Checkmarx GitHub Actions breach

Summary

TeamPCP pushed a malicious @bitwarden/cli@2026.4.0 to npm between 17:57 and 19:30 ET on April 22, exploiting Bitwarden's use of the breached checkmarx/ast-github-action. bw_setup.js fetched Bun 1.3.13 from GitHub and ran a payload that targeted SSH, Git, npm, AWS/GCP/Azure, GitHub Actions secrets, and AI/MCP configs (.claude.json, .kiro/settings/mcp.json), exfiltrating via audit.checkmarx.cx. Live ~90 minutes; Bitwarden confirmed no end-user vault data was accessed.

credential-theftci-cd-compromiseaccount-takeoverobfuscation
Threat actor
TeamPCP
Detected by
JFrog
Also known as
Bitwarden CLI hijack · Checkmarx cascade
Ecosystems
npm
Packages tracked
1

What happened

On April 22, 2026, between 17:57 and 19:30 ET, TeamPCP pushed a malicious @bitwarden/cli@2026.4.0 to npm. The vector was not a direct Bitwarden compromise: it leveraged Bitwarden's use of the breached checkmarx/ast-github-action from the parallel multi-2026-04-22-checkmarx-kics-vsx-docker operation. The Checkmarx GitHub Action ran in Bitwarden's CI with publish-token access, and that's what produced the malicious release.

The entry-point script was bw_setup.js. It fetched Bun 1.3.13 from GitHub Releases and ran an obfuscated payload that targeted a deliberate list of credential surfaces: SSH and Git config, npm and GitHub tokens, AWS / GCP / Azure profiles, GitHub Actions runner secrets, and a notable set of AI/MCP configs.claude.json, .kiro/settings/mcp.json, and similar — reflecting the shifting prize for these operators.

The payload included two telling pieces: a Russian-locale kill switch (skip execution if the host language is ru-RU) and a shell-profile persistence write into ~/.bashrc and ~/.zshrc that re-sources an attacker script on next shell start. Exfiltration ran through audit.checkmarx.cx, the same endpoint as the Checkmarx KICS / Open VSX push.

Live window was about 90 minutes before npm yanked the release. Bitwarden confirmed in their post-incident statement that no end-user vault data was accessed — the malware operated on the CLI host's own developer/CI credentials, not on stored Bitwarden vault content. If you resolved 2026.4.0, run the uninstall + rotation sequence in the recommendations and audit your shell rc files for unexpected sourcing.

Affected packages (1)

  • npm@bitwarden/cli
    2026.4.0

Impact

  • Developer workstation and CI credential theft including AI tool configs
  • GitHub PATs validated and reused to stage exfiltration repos
  • Russian-locale kill switch present in the payload
  • Shell-profile persistence via ~/.bashrc and ~/.zshrc injection

What to do

  1. 1npm uninstall -g @bitwarden/cli; npm cache clean --force; npm config set ignore-scripts true
  2. 2Revoke GitHub PATs, rotate npm/AWS/Azure/GCP credentials, inspect Actions logs
  3. 3Audit ~/.bashrc and ~/.zshrc for unexpected sourcing of attacker scripts
  4. 4Block audit.checkmarx.cx at egress

References

npm-2026-04-22-bitwarden-cli-teampcp