Attackers abused GitHub Actions workflow to compromise Bitwarden CLI npm package

A password manager’s command-line tool was backdoored on npm after attackers abused Bitwarden’s own release workflow on April 22. (community.bitwarden.com) (securityweek.com) Bitwarden said the malicious package was `@bitwarden/cli@2026.4.0`, and it was available between 5:57 p.m. and 7:30 p.m. Eastern Time. The company said users who did not download from npm during that window were not affected. (community.bitwarden.com) The command-line interface, or CLI, is the text-only version of Bitwarden that developers use in scripts, servers, and continuous integration pipelines. That makes it a high-value target because it often runs where deployment keys, cloud tokens, and environment secrets already live. (bitwarden.com) (bleepingcomputer.com) StepSecurity said a Bitwarden engineer’s GitHub account was compromised, then attackers created a branch in the `bitwarden/clients` repository and rewrote `publish-cli.yml`. The altered workflow exchanged a GitHub Actions OpenID Connect token for an npm token and published a staged malicious tarball directly to npm. (stepsecurity.io) That detail matters because OpenID Connect, or OIDC, is supposed to reduce risk by replacing long-lived secrets with short-lived identity tokens. StepSecurity said this was the first confirmed case it had analyzed where npm Trusted Publishing itself was used to ship a compromised package. (stepsecurity.io) JFrog said the package kept Bitwarden’s normal branding but changed the install path so npm ran `bw_setup.js` instead of the legitimate bundled client. That loader fetched the Bun JavaScript runtime and then launched an obfuscated payload. (research.jfrog.com) Researchers said the malware searched for GitHub and npm tokens, Secure Shell keys, shell history, Amazon Web Services, Google Cloud Platform, and Microsoft Azure secrets, plus GitHub Actions data. StepSecurity and JFrog both said it also targeted configuration files from coding assistants including Claude, Cursor, Kiro, Codex CLI, and Aider. (stepsecurity.io) (research.jfrog.com) JFrog said stolen data was sent to a domain impersonating Checkmarx, `audit.checkmarx.cx`, and could fall back to GitHub-based exfiltration if the primary path failed. StepSecurity said GitHub tokens found on infected machines could then be used to inject malicious workflows into other repositories and steal more continuous integration secrets. (research.jfrog.com) (stepsecurity.io) Bitwarden said its investigation found no evidence that end-user vault data, production data, or production systems were accessed or put at risk. The company told affected users to treat systems that installed the npm package during the exposure window as compromised. (community.bitwarden.com) (cybernews.com) SecurityWeek, The Hacker News, and other researchers tied the Bitwarden incident to the broader Checkmarx supply-chain campaign, which has been linked by some firms to TeamPCP and “Shai-Hulud” themed malware. JFrog said the payload used Dune-themed names including “Shai-Hulud: The Third Coming,” while noting that the overlap in naming does not by itself prove attribution. (securityweek.com) (thehackernews.com) (research.jfrog.com) The episode shows how a software package can stay authentic on the surface while the build pipeline that ships it has been altered underneath. In this case, the official Bitwarden name, the official npm package, and the official release path were enough to carry a credential stealer for 93 minutes. (stepsecurity.io) (community.bitwarden.com)