For 93 minutes, installing Bitwarden’s ‘official’ CLI turned laptops into launchpads for hijacking GitHub accounts
On Apr. 22, a malicious model of Bitwarden’s command-line interface appeared on npm underneath the official bundle identify @bitwarden/cli@2026.4.0. For 93 minutes, anybody who pulled the CLI by way of npm acquired a backdoored substitute for the legit device.
Bitwarden detected the compromise, eliminated the bundle, and issued an announcement saying it discovered no proof that attackers accessed end-user vault information or compromised manufacturing programs.
Security analysis agency JFrog analyzed the malicious payload and located it had no particular interest in Bitwarden vaults. It focused GitHub tokens, npm tokens, SSH keys, shell historical past, AWS credentials, GCP credentials, Azure credentials, GitHub Actions secrets and techniques, and AI tooling configuration information.
These are credentials that govern how groups construct, deploy, and attain their infrastructure.
| Targeted secret / information kind | Where it normally lives | Why it issues operationally |
|---|---|---|
| GitHub tokens | Developer laptops, native config, CI environments | Can allow repo entry, workflow abuse, secret itemizing, and lateral motion by way of automation |
| npm tokens | Local config, launch environments | Can be used to publish malicious packages or alter launch flows |
| SSH keys | Developer machines, construct hosts | Can open entry to servers, inside repos, and infrastructure |
| Shell historical past | Local machines | Can reveal pasted secrets and techniques, instructions, inside hostnames, and workflow particulars |
| AWS credentials | Local config information, surroundings variables, CI secrets and techniques | Can expose cloud workloads, storage, and deployment programs |
| GCP credentials | Local config information, surroundings variables, CI secrets and techniques | Can expose cloud initiatives, companies, and automation pipelines |
| Azure credentials | Local config information, surroundings variables, CI secrets and techniques | Can expose cloud infrastructure, identification programs, and deployment paths |
| GitHub Actions secrets and techniques | CI/CD environments | Can give entry to automation, construct outputs, deployments, and downstream secrets and techniques |
| AI tooling / config information | Project directories, native dev environments | Can expose API keys, inside endpoints, mannequin settings, and associated credentials |
Bitwarden serves over 50,000 companies and 10 million customers, and its personal documentation describes the CLI as a “highly effective, fully-featured” strategy to entry and handle the vault, together with in automated workflows that authenticate utilizing surroundings variables.
Bitwarden lists npm as the only and most popular set up methodology for customers already snug with the registry. That mixture of automation use, developer-machine set up, and official npm distribution locations the CLI precisely the place high-value infrastructure secrets and techniques are inclined to stay.
JFrog’s analysis exhibits the malicious bundle rewired each the preinstall hook and the bw binary entrypoint to a loader that fetched the Bun runtime and launched an obfuscated payload. The compromise is fired at set up time and at runtime.
An group might run the backdoored CLI with out touching any saved passwords whereas the malware systematically collected the credentials governing its CI pipelines, cloud accounts, and deployment automation.
Security agency Socket says the attack seems to have exploited a compromised GitHub Action in Bitwarden’s CI/CD pipeline, in keeping with a sample Checkmarx researchers have been monitoring.
Bitwarden confirmed that the incident is related to the broader Checkmarx provide chain marketing campaign.
The belief bottleneck
Npm constructed its trusted publishing mannequin to deal with precisely this class of danger.
By changing long-lived npm publish tokens with OIDC-based CI/CD authentication, the system removes one of the vital frequent paths attackers use to hijack registry releases, and npm recommends trusted publishing and treats it as a significant step ahead.
The more durable floor is the discharge logic itself, such because the workflows and actions that invoke the publish step. Npm’s personal documentation recommends controls past OIDC, akin to deployment environments with guide approval necessities, tag safety guidelines, and department restrictions.
| Layer within the belief chain | What it’s supposed to ensure | What can nonetheless go incorrect |
|---|---|---|
| Source repository | The meant codebase exists within the anticipated repo | Attackers could by no means want to change the principle codebase instantly |
| CI/CD workflow | Automates construct and launch from the repo | If compromised, it might produce and publish a malicious artifact |
| GitHub Actions / launch logic | Executes the steps that construct and publish software program | A poisoned motion or abused workflow can flip a legit launch path malicious |
| OIDC trusted publishing | Replaces long-lived registry tokens with short-lived identity-based auth | It proves a certified workflow printed the bundle, not that the workflow itself was protected |
| npm official bundle route | Distributes software program underneath the anticipated bundle identify | Users should still obtain malware if the official publish path is compromised |
| Developer machine / CI runner | Consumes the official bundle | Install-time or runtime malware can harvest native, cloud, and automation secrets and techniques |
GitHub’s surroundings settings let organizations require reviewers’ sign-off earlier than a workflow can deploy. The SLSA framework goes additional by asking customers to confirm that provenance matches anticipated parameters, akin to the right repository, department, tag, workflow, and construct configuration.
The Bitwarden incident exhibits that the more durable drawback sits on the workflow layer. If an attacker can exploit the discharge workflow itself, the “official” badge nonetheless accompanies the malicious bundle.
Trusted publishing strikes the belief burden upward to the integrity of the workflows and actions that invoke it, a layer that organizations have largely left unexamined.
One token to many doorways
For developer and infrastructure groups, a compromised launch workflow exposes CI pipelines, automation infrastructure, and the credentials that govern them.
JFrog’s evaluation exhibits that after the malware obtained a GitHub token, it might validate the token, enumerate writable repositories, checklist GitHub Actions secrets and techniques, create a department, commit a workflow, wait for it to execute, obtain the ensuing artifacts, after which clear up.
Obtaining the token creates an automatic chain that transforms a single stolen credential into persistent entry throughout a corporation’s automation infrastructure.
A developer’s laptop computer that installs a poisoned official bundle turns into a bridge from the host’s native credential retailer to GitHub entry to no matter that GitHub token can attain.
The Bybit incident is a close structural analogy. A compromised developer workstation let attackers poison a trusted upstream interface, which then reached the sufferer’s operational course of.
The distinction is that Bybit concerned a tampered Safe web UI, whereas Bitwarden concerned a tampered official npm bundle.
In crypto, fintech, or custody environments, that path can run from a credential retailer to launch signers, cloud entry, and deployment programs with out ever touching a vault entry.
Within 60 days, Checkmarx disclosed compromised GitHub Actions workflows and OpenVSX plugins, whereas the Cloud Security Alliance warned that the TeamPCP marketing campaign was actively compromising open-source initiatives and CI/CD automation elements.
JFrog documented how a compromised Trivy GitHub Action exfiltrated LiteLLM’s publish token and enabled malicious PyPI releases, and Axios disclosed that two malicious npm versions circulated for roughly three hours by way of a compromised maintainer account.
Sonatype counted over 454,600 new malicious packages in 2025 alone, bringing the cumulative whole to greater than 1.2 million. Bitwarden joins a sequence of incidents that confirms launch workflows and bundle registries as the first assault floor.
| (*93*) / interval | Incident | Compromised belief level | Why it issues |
|---|---|---|---|
| Mar. 23, 2026 | Checkmarx disclosed compromised GitHub Actions workflows and OpenVSX plugins | GitHub Actions workflows, developer tooling distribution | Shows attackers concentrating on upstream automation and trusted tooling channels |
| Within the identical marketing campaign window | Trivy / LiteLLM chain documented by JFrog | Compromised GitHub Action resulting in token theft and malicious PyPI releases | Demonstrates how one poisoned automation part can cascade into bundle publication abuse |
| Mar. 31, 2026 | Axios malicious npm variations | Compromised maintainer account | Shows official bundle names can turn into assault vectors by way of account-level compromise |
| Apr. 22, 2026 | Bitwarden CLI malicious npm launch | Official npm distribution path for a safety device | Shows a trusted bundle can expose infrastructure secrets and techniques with out touching vault contents |
| 2025 whole | Sonatype malware depend | Open-source bundle ecosystem broadly | Indicates the dimensions of malicious-package exercise and why registry belief is now a strategic danger |
The exact root trigger just isn’t but public, as Bitwarden has confirmed a connection to the Checkmarx marketing campaign however has not printed an in depth breakdown of how the attacker obtained entry to the discharge pipeline.
The outcomes of the assault
The strongest final result for defenders is that this incident accelerates a redefinition of what “official” means.
Today, trusted publishing attaches provenance information to every launched bundle, thereby confirming the writer’s identification within the registry. SLSA explicitly paperwork the next commonplace for verifiers to examine if provenance matches the anticipated repository, department, workflow, and construct parameters.
If that commonplace turns into default shopper habits, “official” begins to imply “constructed by the proper workflow underneath the proper constraints,” and an attacker who compromises an motion however can’t fulfill each provenance constraint produces a bundle that automated customers reject earlier than it lands.
The extra believable near-term path runs in the wrong way. Attackers have demonstrated throughout at the least 4 incidents in 60 days that launch workflows, motion dependencies, and maintainer-adjacent credentials yields high-value outcomes with comparatively low friction.
Each successive incident provides one other documented approach to a public playbook of motion compromise, token theft from CI output, maintainer account hijack, and trusted-publish-path abuse.
Unless provenance verification turns into the default shopper habits moderately than an non-compulsory coverage layer, official bundle names will command extra belief than their launch processes can justify.
The publish For 93 minutes, installing Bitwarden’s ‘official’ CLI turned laptops into launchpads for hijacking GitHub accounts appeared first on CryptoSlate.
