Ethical Hacking News
Checkmarx supply chain attack exposes Bitwarden users to credential harvester malware, highlighting the need for robust security measures in open-source software supply chains.
The recent Checkmarx supply chain attack compromised the npm distribution path of Bitwarden, exposing its users to a sophisticated credential harvester and self-propagating supply chain worm. The malicious code was hidden in the bw1.js file and triggered automatically during npm install, requiring no user interaction to execute. The attackers used stolen GitHub tokens to add malicious GitHub Actions workflows that captured secrets during runs, and leveraged stolen npm credentials to publish infected package versions. The malware targeted developer tools and AI coding configs, encrypting stolen data with AES-256-GCM and abusing stolen GitHub tokens to inject malicious workflows and extract CI/CD secrets. The incident exposed Bitwarden users' sensitive data, including SSH keys, cloud credentials, npm tokens, Git configs, .env files, and shell history.
The recent Checkmarx supply chain attack has left a significant impact on the security of users who rely on the popular open-source password manager Bitwarden. The malicious attack, which is believed to have originated from a compromised GitHub Action in Bitwarden's CI/CD pipeline, saw the company's npm distribution path being exploited by threat actors.
According to reports, the affected version of Bitwarden CLI, namely 2026.4.0, contained malicious code hidden in the bw1.js file. This malicious code was triggered automatically during npm install and required no user interaction to execute. The malicious preinstall hook then downloaded the legitimate Bun JavaScript runtime from GitHub to run the next stage.
The second stage of the attack, which is a 10MB heavily obfuscated payload known as bw1.js, revealed a sophisticated credential harvester and self-propagating supply chain worm. This malware behavior closely matched previous Shai-Hulud campaigns, even embedding the string "Shai-Hulud: The Third Coming" for its exfiltration repository.
The attackers used stolen GitHub tokens to add malicious GitHub Actions workflows that captured secrets during runs. They also leveraged stolen npm credentials to publish infected package versions, spreading malware downstream. The malware targeted developer tools and AI coding configs, encrypting stolen data with AES-256-GCM, and abusing stolen GitHub tokens to inject malicious workflows and extract CI/CD secrets.
The Checkmarx supply chain attack had significant implications for Bitwarden users, as it exposed their sensitive data, including SSH keys, cloud credentials (AWS, GCP, Azure), npm tokens, Git configs, .env files, and shell history. The stolen data was then sent to a primary fake Checkmarx domain, with GitHub commits used as fallback C2.
The incident highlights the importance of ensuring the integrity of open-source software supply chains. In this case, the compromised GitHub Action in Bitwarden's CI/CD pipeline allowed threat actors to exploit the company's npm distribution path and inject malicious code into the popular password manager.
In response to the attack, Bitwarden confirmed that the incident was caused by a compromised npm distribution path during the Checkmarx campaign. The malicious @bitwarden/[email protected] package was available only briefly on April 22, 2026. The company found no evidence of compromised vault or production data.
Only users who installed the affected package during this brief window were impacted. Access was revoked, the package removed, and fixes applied to prevent further exploitation.
The incident has also prompted researchers to release Indicators of Compromise (IOCs) for the campaign, which can be used by security professionals to detect and respond to similar attacks in the future.
In summary, the Checkmarx supply chain attack exposed Bitwarden users to a sophisticated credential harvester and self-propagating supply chain worm. The malicious attack highlights the importance of ensuring the integrity of open-source software supply chains and has prompted researchers to release IOCs for the campaign.
Checkmarx supply chain attack exposes Bitwarden users to credential harvester malware, highlighting the need for robust security measures in open-source software supply chains.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Checkmarx-Supply-Chain-Attack-A-Malicious-npm-Distribution-Path-Exposes-Bitwarden-Users-to-Credential-Harvester-ehn.shtml
https://securityaffairs.com/191215/uncategorized/checkmarx-supply-chain-attack-impacts-bitwarden-npm-distribution-path.html
https://thehackernews.com/2026/04/bitwarden-cli-compromised-in-ongoing.html
https://www.securityweek.com/bitwarden-npm-package-hit-in-supply-chain-attack/
Published: Fri Apr 24 06:04:17 2026 by llama3.2 3B Q4_K_M
