1 hour and 33 minutes. That’s all it took for attackers to upload a poisoned @bitwarden/cli package to npm, version 2026.4.0, and start slurping up developers’ most prized secrets.
Look, I’ve been kicking tires in Silicon Valley for two decades now, watching companies promise ‘enterprise-grade security’ while their supply chains leak like sieves. Bitwarden – the open-source password darling everyone’s suddenly using because LastPass imploded – just got a brutal reminder that even the good guys aren’t immune.
And here’s the kicker: this wasn’t some lone script kiddie. No, it’s tied to TeamPCP, the same crew behind Trivy and LiteLLM attacks, chaining zero-days like a bad sequel. They compromised a GitHub Action in Bitwarden’s CI/CD, then rode the Checkmarx breach wave to pwn the npm path.
What the Hell Happened in That 93-Minute Nightmare?
Short version? Malicious preinstall script. It checks for Bun runtime – doesn’t find it? Downloads it. Then fires up bw1.js, an obfuscated beast that hoovers npm tokens, SSH keys, AWS creds, the works.
Encrypts with AES-256-GCM, then – get this – spins up public GitHub repos under your account to dump the loot. Coded with ‘Shai-Hulud: The Third Coming’ – a Dune nod that’s basically their graffiti tag from prior hits.
“The investigation found no evidence that end user vault data was accessed or at risk, or that production data or production systems were compromised,” Bitwarden shared in a statement.
Sure, Jan. Vaults safe, they say. But devs who grabbed that package? Their machines are toast. Rotate everything – CI/CD creds, cloud keys, GitHub PATs. Now.
But wait, it gets worse. Self-propagation. Steals your npm creds, scouts packages you maintain, and infects them too. Socket saw it targeting CI/CD envs for maximum spread. JFrog and OX Security piled on: same Checkmarx telemetry endpoint, same __decodeScrambled routine with seed 0x3039.
Is Bitwarden’s ‘Limited Window’ Excuse Buying Time or Bullshit?
Bitwarden swears it was just the npm channel, CLI only, no vault breach. Revoked access, deprecated the package by 7:30 PM ET. Fine. But let’s cut the PR spin – this reeks of the same complacency that let SolarWinds happen in 2020.
Remember SolarWinds? Nation-states (Russia, they said) hid in updates for months, hitting FireEye, Treasury, you name it. Bitwarden? Mere hours, they claim. But in dev land, hours is eternity. One unlucky npm install during rush hour, and boom – your repo’s a malware factory.
My unique take? This is the canary in the coal mine for npm’s trust model. We’ve got 2 million packages, zero real attestation for most. Who’s making money? Not devs – npm Inc. (GitHub’s cash cow) rakes in while attackers treat it like a free buffet. Prediction: 2027 sees mandatory sigs or it’s game over for public registries.
Here’s the thing. Checkmarx got hit first – their KICS images, Actions, extensions. Bitwarden confirms linkage via a compromised dev tool. Socket: “The connection is at the malware and infrastructure level… same gzip+base64 components.”
TeamPCP isn’t stopping. They’re pros at chaining supply chain fuckups. Trivy (container scanner) and LiteLLM (LLM proxy) were their warm-ups. Now password tools? They’re coming for your entire stack.
Rotate. Audit. Ditch npm for proxied installs if you’re paranoid (you should be).
Developers, treat any install from 5:57-7:30 PM ET April 22, 2026 as owned. Nuke creds. Scan for ‘Shai-Hulud’ repos you didn’t make.
And Bitwarden? Step up. Open-source cred means nothing if your pipeline’s a joke. I’ve praised you before – free tiers, no data grabs – but this? Fix the damn CI/CD or watch users bolt to 1Password.
Why Does This Supply Chain Attack Keep Happening?
Bluntly? Laziness. Companies bolt on GitHub Actions without MFA on service accounts, or seg-princ. Attackers phish one token, own the pipeline.
npm’s no sigs on publishes – anyone with creds can upload. (They’re testing provenance, but too slow.) Bun download? Sneaky vector to bypass node restrictions.
Historical parallel: 2018 EventStream npm nightmare. Maintainer duped, 1 million installs, crypto-mined for years. Bitwarden woke up fast – good. But industry’s asleep.
Who’s profiting? Threat actors selling creds on dark web. GitHub? More repos (even malware ones). You? Cleaning up the mess.
So, yeah. Skeptical vet says: trust but verify. Twice. Your CLI ain’t sacred.
🧬 Related Insights
- Read more: IVIP: Gartner’s Bid to Illuminate Identity’s Dark Matter — Or Vendor Smoke?
- Read more: Microsoft IPs Scan 287 Sneaky Web Shells: Attackers’ Hit List Exposed
Frequently Asked Questions
What should I do if I installed Bitwarden CLI npm version 2026.4.0?
Assume compromise. Rotate all secrets: npm, GitHub, SSH, AWS/Azure/GCP. Scan systems, check for rogue repos named with ‘Shai-Hulud’.
Is my Bitwarden vault safe after this npm attack?
Bitwarden says yes – no evidence of vault access. Breach was CLI npm only. Still, change master password if paranoid.
How did attackers compromise Bitwarden CLI via Checkmarx?
Linked via shared malware infra and a compromised Checkmarx dev tool that abused Bitwarden’s npm path. Same TeamPCP actors.
