HIGH: Bitwarden CLI Hit by Shai-Hulud Third Coming Worm in Checkmarx Supply Chain Cascade

If your password manager started shipping malware, you would want to know about it. That is roughly what happened on the evening of April 22, 2026, when a poisoned build of @bitwarden/cli landed in the public npm registry and quietly installed credential stealing code on the machines of every developer who pulled the update during a one hour and thirty three minute window. By the time the dust settled, roughly 334 developers had downloaded version 2026.4.0, the trojan had already started phoning home with their tokens, and the broader security community had a new entry in the Shai-Hulud worm saga to deal with.

The compromised package was live from 5:57 PM to 7:30 PM Eastern Time, a small window that nonetheless caught real developers and real CI pipelines. Bitwarden pulled the build, re-released a clean version as 2026.4.1, and confirmed that no production systems and no end user vault data were affected. That last point is worth emphasizing because the headlines invite the assumption that vaults were popped. They were not. The breach hit the build pipeline that produces the command line tool, not the encrypted vaults that hold customer secrets. Even so, the developers who installed the bad version had every credential their workstation could reach raked over by an automated worm, and that is more than enough to ruin a Wednesday.

The technical chain reads like a study in modern supply chain attack design. Bitwarden's CI workflow used checkmarx/ast-github-action, a GitHub Action published by Checkmarx that had itself been compromised in a separate campaign earlier in April. That earlier compromise leaked GitHub tokens belonging to organizations that consumed the action. Threat actors then used the stolen tokens to inject a malicious workflow modification into Bitwarden's repository, which in turn produced and published a tampered npm package. The signing pipeline did not catch it. The package looked legitimate. It carried Bitwarden's name, came from Bitwarden's automation, and slid through the registry with no obvious sign that anything was wrong.

What made the package dangerous was a preinstall hook pointing at a file called bw1.js. That hook fires the moment npm installs the package, before any user code runs and before any sandboxing kicks in. The script is the third confirmed iteration of the Shai-Hulud worm, a strain that researchers have been tracking since late 2025, and the embedded string "Shai-Hulud: The Third Coming" leaves no doubt about lineage. This generation has been refined and bulked up. It rakes in npm tokens, GitHub authentication tokens, SSH keys, AWS, Azure, and Google Cloud credentials, environment variables, shell history files, and the configuration data for every common AI coding assistant including Claude, Cursor, Codex, and Aider. That last category is especially nasty because it gives an attacker a fast path to any private repository the developer was building against and any cloud account those tools had been wired up to.

Once the data is collected, the malware encrypts the haul with AES-256-GCM and exfiltrates it to audit.checkmarx[.]cx, with a secondary path that creates public GitHub repositories under the victim's account if the primary channel fails. Repositories created by stolen tokens have appeared as sentinel indicators of compromise and are how many of the affected developers learned they had been hit. The script also rewrites shell RC files to maintain persistence after the package is uninstalled, and it explicitly checks for Russian locale settings and aborts execution if it finds them, a tell that aligns with a small number of suspected actor groups.

The propagation logic is what earns the worm label. Once Shai-Hulud has stolen tokens with write access to other repositories, it programmatically injects the same malicious workflow into those repositories, producing a self-replicating chain that runs as long as developer credentials keep landing in its lap. Researchers at Socket, Endor Labs, and Ox Security have all confirmed the worm behavior, and the connection back to a threat group tracked as TeamPCP fits the pattern seen in the Trivy and LiteLLM compromises last year. The same playbook now has a new flagship victim, and the operators have demonstrated that they can chain one supply chain compromise into another with very little manual effort.

For Bitwarden customers who only use the official desktop apps, mobile apps, and browser extensions, this incident is essentially a non event. Those clients are distributed through their own channels and do not pull from the npm registry. The CLI is the one place where npm is the delivery mechanism, and even there the affected window was short. The customers who do need to act are the developers and DevOps engineers who installed @bitwarden/cli@2026.4.0 between 5:57 PM and 7:30 PM Eastern on April 22. They should uninstall that version immediately, clear the npm cache, install 2026.4.1, and treat the workstation as compromised until proven otherwise. Rotating npm tokens, GitHub personal access tokens, SSH keys, and any cloud credentials accessible from the affected machine is mandatory rather than optional. Reviewing GitHub audit logs for unauthorized workflow modifications and unexpected new public repositories owned by user accounts is the fastest way to confirm whether stolen tokens have already been weaponized.

CI runners and ephemeral build agents that pulled the package during the window need the same treatment. The fact that a runner spun down ten minutes after the install does not mean the harvest stopped. Tokens minted to that runner may still be valid, may still have repository write access, and may still be sitting in an attacker controlled repository waiting to be replayed. Anyone running a build environment that produced packages during that window should consider rebuilding from clean infrastructure with rotated secrets. The cost of doing that is high. The cost of not doing that, given how aggressively this worm propagates, is higher.

The incident also lands at an awkward moment for the broader npm ecosystem. The Shai-Hulud worm has now hit Trivy, LiteLLM, the Checkmarx GitHub Action, and Bitwarden's CLI in less than six months. Each compromise feeds the next, because credentials stolen from one wave are weaponized in the next. Detection has been improving and the response window keeps shrinking, but the underlying problem is structural. A single GitHub Action used by thousands of organizations is a single point of failure for thousands of build pipelines, and the credentials those pipelines hold are often the most powerful credentials a developer ever creates. Until Action consumers start treating Actions like the privileged code they actually are, with pinned commits, dependency review, and isolation between build stages, every successful compromise of a popular Action is going to spawn a wave of secondary compromises like this one.

There are a few practical hardening steps that came out of the post mortem and are worth adopting now. Pin GitHub Actions to commit SHAs rather than tags, because tag mutability is exactly what allowed the Checkmarx compromise to propagate silently. Disable npm install scripts in CI by default with --ignore-scripts and only re enable them for packages you have audited. Use short lived OIDC tokens between GitHub Actions and cloud providers wherever possible, so that even a stolen workflow secret has limited blast radius. Inventory which Actions your pipelines consume, who maintains them, and how they are pinned. Most teams cannot answer those questions today, and the attackers know it.

For MSPs and security service providers, the Bitwarden incident is a perfect anchor for the developer environment hygiene conversation that has been hard to start with clients who do not consider themselves software companies. Every modern business builds something, even if it is just internal tooling and CI scripts that glue SaaS apps together, and that means every modern business has at least one developer machine and at least one CI pipeline that an attacker can reach through a poisoned package. A focused engagement that audits npm and pip dependencies, reviews GitHub Action pinning, scans for committed secrets, and rotates the high value tokens that always seem to live in shell config files is a real fixed fee project that maps to a real risk. Pair it with a managed detection offering for unusual GitHub repository creation activity and you have a recurring service tied to an attack pattern that is not going away. Clients who lived through the Shai-Hulud headlines this week are unusually receptive to that pitch, and the next wave will catch the ones who did not get on the train this round.