Skip to content
.ca
sign in
6 mincritical

Bitwarden CLI Compromised in Ongoing Checkmarx Supply Chain Campaign

The Bitwarden CLI npm package was compromised in a supply chain attack linked to the ongoing Checkmarx campaign. The malicious payload, injected via GitHub Actions, harvests extensive cloud and developer credentials, exfiltrating them through unauthorized GitHub repositories and a dedicated C2 server while employing a Russian locale kill switch and shell profile persistence.

Sens:ImmediateConf:highAnalyzed:2026-04-24reports

Authors: Socket

ActorsCheckmarx supply chain campaignTeamPCP
GitHub ActionsCredential HarvestingnpmSupply ChainBitwarden

Source:Socket

IOCs · 2

Key Takeaways

  • The Bitwarden CLI npm package (@bitwarden/cli2026.4.0) was compromised via a malicious file named bw1.js.
  • The attack is part of the broader Checkmarx supply chain campaign, leveraging compromised GitHub Actions.
  • The malware harvests extensive credentials (GitHub, AWS, Azure, GCP, npm, SSH) and exfiltrates them via Dune-themed GitHub repositories and a Checkmarx C2 endpoint.
  • The payload features a Russian locale kill switch and establishes persistence via shell profile modifications (~/.bashrc, ~/.zshrc).
  • The malware uses a downloaded Bun v1.3.13 interpreter and a Python memory-scraping script targeting GitHub Actions Runner.Worker.

Affected Systems

  • Bitwarden CLI npm package (@bitwarden/cli2026.4.0)
  • GitHub Actions CI/CD pipelines
  • Developer endpoints (Linux/macOS)

Attack Chain

The attack begins with the compromise of the Bitwarden CLI npm package via a malicious GitHub Action workflow injection. Upon installation, the embedded bw1.js payload executes, utilizing a downloaded Bun interpreter to scrape memory and configuration files for cloud, npm, and SSH credentials. The malware establishes persistence by modifying shell profiles (~/.bashrc, ~/.zshrc) and avoids execution on Russian-locale systems. Finally, stolen credentials are exfiltrated to a remote C2 server and via encrypted commits to newly created, Dune-themed public GitHub repositories.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

The article does not provide explicit detection rules, but lists behavioral indicators, file paths, and network IOCs for threat hunting.

Detection Engineering Assessment

EDR Visibility: High — EDRs can effectively monitor file modifications to ~/.bashrc and ~/.zshrc, the creation of the specific lock file /tmp/tmp.987654321.lock, and the execution of the Bun interpreter. Network Visibility: Medium — Network tools can detect connections to the specific C2 domain, but exfiltration via the legitimate GitHub API will blend in with normal developer traffic. Detection Difficulty: Moderate — While the specific C2 and lock files are easy to detect, the use of legitimate GitHub APIs for exfiltration and the supply chain vector make initial detection challenging without specific IOCs.

Required Log Sources

  • EDR process execution logs
  • File integrity monitoring (FIM)
  • Network proxy/DNS logs
  • GitHub audit logs
  • Cloud provider CloudTrail/audit logs

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Look for unexpected modifications to ~/.bashrc or ~/.zshrc originating from package manager processes (npm, node).EDR file modification logsPersistenceLow
Search for the creation or presence of the specific lock file /tmp/tmp.987654321.lock.EDR file creation logsExecutionLow
Monitor for unexpected execution of the Bun interpreter (bun), especially if downloaded directly from GitHub releases to temporary directories.EDR process execution logsExecutionMedium
Hunt for DNS requests or network connections to audit.checkmarx[.]cx.DNS logs, Network proxy logsCommand and ControlLow
Review GitHub audit logs for the sudden creation of public repositories matching the {word}-{word}-{3digits} pattern by developer accounts.GitHub audit logsExfiltrationLow

Control Gaps

  • Lack of egress filtering for CI/CD runners
  • Insufficient monitoring of GitHub repository creation by users
  • Over-permissive npm tokens

Key Behavioral Indicators

  • Creation of /tmp/tmp.987654321.lock
  • Modifications to ~/.bashrc or ~/.zshrc during npm install
  • Execution of Bun interpreter in CI/CD environments where it is not standard
  • Creation of Dune-themed GitHub repositories

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Remove the @bitwarden/cli2026.4.0 package from all developer systems and build environments.
  • Rotate all potentially exposed credentials (GitHub tokens, npm tokens, AWS/Azure/GCP credentials, SSH keys).
  • Check for unauthorized GitHub repository creation and suspicious workflow runs.

Infrastructure Hardening

  • Lock down token scopes and require short-lived credentials.
  • Restrict permissions for creating or publishing npm packages.
  • Harden GitHub Actions permissions and disable unnecessary artifact access.

User Protection

  • Monitor developer endpoints for outbound connections to audit.checkmarx[.]cx.
  • Hunt for the presence of /tmp/tmp.987654321.lock and unauthorized shell profile modifications.

Security Awareness

  • Educate developers on the risks of supply chain attacks and the importance of verifying package integrity.
  • Train teams to recognize anomalous CI/CD pipeline behavior.

MITRE ATT&CK Mapping

  • T1195.002 - Supply Chain Compromise: Compromise of Software Supply Chain
  • T1552.001 - Unsecured Credentials: Credentials In Files
  • T1552.004 - Unsecured Credentials: Private Keys
  • T1546.004 - Event Triggered Execution: Unix Shell Configuration Modification
  • T1614.001 - System Location Discovery: System Language Discovery
  • T1567.001 - Exfiltration Over Web Service: Exfiltration to Code Repository
  • T1071.001 - Application Layer Protocol: Web Protocols

Additional IOCs

  • Ips:
    • 94[[.]]154[[.]]172[[.]]43 - C2 endpoint IP
  • Domains:
    • audit[.]checkmarx[[.]]cx - C2 endpoint domain
  • Urls:
    • hxxps://audit[.]checkmarx[[.]]cx/v1/telemetry - Telemetry and exfiltration C2 URL
  • File Paths:
    • /tmp/tmp.987654321.lock - Hardcoded lock file
    • /tmp/_tmp_<Unix Epoch Timestamp>/ - Temporary directory used during victim package compromise
    • package-updated.tgz - File associated with victim package compromise
    • ~/.bashrc - Targeted for shell profile persistence
    • ~/.zshrc - Targeted for shell profile persistence
    • bw1.js - Malicious payload file
    • mcpAddon.js - Related malicious file from the broader Checkmarx campaign
    • setup.mjs - Loader for republished npm packages
  • Other:
    • LongLiveTheResistanceAgainstMachines - Marker used in commit messages for exfiltrated tokens
    • Shai-Hulud: The Third Coming - Repository description used for exfiltration
    • {word}-{word}-{3digits} - Dune-themed naming pattern for unauthorized public repositories used for exfiltration
    • 0x3039 - Seed used for obfuscation via __decodeScrambled

Related