For roughly 90 minutes on the evening of April 22, the official Bitwarden CLI package distributed on npm contained malware. Anyone who ran npm install @bitwarden/cli between 17:57 and 19:30 EST installed a weaponized version capable of harvesting credentials silently while the application appeared to work normally.

The incident is part of an ongoing campaign dubbed “Shai-Hulud,” now in its third wave, targeting widely-used developer tools through automated release pipelines. The vector was a compromised GitHub Action embedded in the project’s release system.

How the Attack Worked

The attackers didn’t build the package from scratch. They took the legitimate previous version (2026.3.0), injected two files (bw_setup.js and bw1.js), and added a hook that executed automatically during installation, before the app even ran. Users saw nothing wrong, the bw command worked as expected.

The loader quietly fetched the Bun runtime from GitHub to execute the main payload, a technical choice designed to sidestep detection systems calibrated for suspicious Node.js processes. Once running, the malware collected GitHub and npm tokens, SSH keys, .env files, shell history, credentials for major cloud services (AWS, GCP, Azure), and specifically configurations for popular CLI AI tools: Claude Code, Cursor, Kiro, Codex CLI, and Aider. All data was encrypted with AES-256-GCM and sent to a domain controlled by the attackers (audit.checkmarx[.]cx), designed to impersonate the legitimate Checkmarx security firm (real domain: .com).

If valid GitHub tokens were found, the malware weaponized them to inject malicious workflows into every accessible repository, turning a single compromised developer into a pivot point for cascading attacks across the entire supply chain. As a failsafe, the code also used GitHub itself for command and control, bypassing domain-level filters.

Who’s at Risk and What to Do

Bitwarden confirmed that no end-user vault data was touched. The issue is confined to the npm CLI package only, not the browser extension, MCP server, or stored credentials. The malicious package has already been removed from npm.

At risk are developers who installed version 2026.4.0 during the window mentioned. Recommended steps: check for the presence of bw_setup.js and bw1.js in your installed package, immediately rotate all potentially exposed tokens and credentials (GitHub, npm, cloud, SSH keys, AI tool API keys), and audit your GitHub account for repositories or workflows created without your authorization.

A CVE is being issued for version 2026.4.0. According to researcher Adnan Khan, this may be the first documented compromise of a package published through npm’s trusted publishing system.