TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

GitGuardian

@bitwarden/cli - GitGuardian Views on helloworm00

Guillaume Valadon · 2026-04-23 · Read original ↗

ATT&CK techniques detected

4 predictions
T1195.002Compromise Software Supply Chain
85%
“##abot one confirmed victim environment shows the attack began with the checkmarx kics docker image compromise on april 22, 2026. dependabot pulled the trojanized checkmarx / kics : latest tag during an automated dependency update, executing the payload in ci with access to repos…”
T1567.001Exfiltration to Code Repository
85%
“@ bitwarden / cli - gitguardian views on helloworm00 around 5 : 00 p. m. cet, we were alerted to the compromise of the bitwarden / cli package via https : / / opensourcemalware. com / npm / @ bitwarden / cli the jfrog analyses at https : / / research. jfrog. com / post / bitwarde…”
T1195.001Compromise Software Dependencies and Development Tools
35%
“@ bitwarden / cli - gitguardian views on helloworm00 around 5 : 00 p. m. cet, we were alerted to the compromise of the bitwarden / cli package via https : / / opensourcemalware. com / npm / @ bitwarden / cli the jfrog analyses at https : / / research. jfrog. com / post / bitwarde…”
T1195.001Compromise Software Dependencies and Development Tools
35%
“##abot one confirmed victim environment shows the attack began with the checkmarx kics docker image compromise on april 22, 2026. dependabot pulled the trojanized checkmarx / kics : latest tag during an automated dependency update, executing the payload in ci with access to repos…”

Summary

GitGuardian analysis of the @bitwarden/cli compromise: GitHub used as C2, new Cloudflare exfiltration domain found, linked to April 22 Checkmarx KICS compromise via Dependabot.