@bitwarden/cli 2026.4.0 hijacked via Checkmarx GitHub Actions breach
TeamPCP pushed a malicious @bitwarden/cli@2026.4.0 to npm between 17:57 and 19:30 ET on April 22, exploiting Bitwarden's use of the breached checkmarx/ast-github-action. bw_setup.js fetched Bun 1.3.13 from GitHub and ran a payload that targeted SSH, Git, npm, AWS/GCP/Azure, GitHub Actions secrets, and AI/MCP configs (.claude.json, .kiro/settings/mcp.json), exfiltrating via audit.checkmarx.cx. Live ~90 minutes; Bitwarden confirmed no end-user vault data was accessed.
- Threat actor
- TeamPCP
- Detected by
- JFrog
- Also known as
- Bitwarden CLI hijack · Checkmarx cascade
- Ecosystems
- npm
- Packages tracked
- 1
What happened
On April 22, 2026, between 17:57 and 19:30 ET, TeamPCP pushed a malicious @bitwarden/cli@2026.4.0 to npm. The vector was not a direct Bitwarden compromise: it leveraged Bitwarden's use of the breached checkmarx/ast-github-action from the parallel multi-2026-04-22-checkmarx-kics-vsx-docker operation. The Checkmarx GitHub Action ran in Bitwarden's CI with publish-token access, and that's what produced the malicious release.
The entry-point script was bw_setup.js. It fetched Bun 1.3.13 from GitHub Releases and ran an obfuscated payload that targeted a deliberate list of credential surfaces: SSH and Git config, npm and GitHub tokens, AWS / GCP / Azure profiles, GitHub Actions runner secrets, and a notable set of AI/MCP configs — .claude.json, .kiro/settings/mcp.json, and similar — reflecting the shifting prize for these operators.
The payload included two telling pieces: a Russian-locale kill switch (skip execution if the host language is ru-RU) and a shell-profile persistence write into ~/.bashrc and ~/.zshrc that re-sources an attacker script on next shell start. Exfiltration ran through audit.checkmarx.cx, the same endpoint as the Checkmarx KICS / Open VSX push.
Live window was about 90 minutes before npm yanked the release. Bitwarden confirmed in their post-incident statement that no end-user vault data was accessed — the malware operated on the CLI host's own developer/CI credentials, not on stored Bitwarden vault content. If you resolved 2026.4.0, run the uninstall + rotation sequence in the recommendations and audit your shell rc files for unexpected sourcing.
Affected packages (1)
- npm
@bitwarden/cli2026.4.0
Impact
- Developer workstation and CI credential theft including AI tool configs
- GitHub PATs validated and reused to stage exfiltration repos
- Russian-locale kill switch present in the payload
- Shell-profile persistence via
~/.bashrcand~/.zshrcinjection
What to do
- 1
npm uninstall -g @bitwarden/cli; npm cache clean --force; npm config set ignore-scripts true - 2Revoke GitHub PATs, rotate npm/AWS/Azure/GCP credentials, inspect Actions logs
- 3Audit
~/.bashrcand~/.zshrcfor unexpected sourcing of attacker scripts - 4Block
audit.checkmarx.cxat egress