← All stories

The Hacker News

Bitwarden CLI Compromised in Ongoing Checkmarx Supply Chain Campaign

[email protected] (The Hacker News) · 2026-04-23 · Read original ↗

ATT&CK techniques detected

15 predictions

T1195.001Compromise Software Dependencies and Development Tools

100%

“2026. 4. 0 installed can become the entry point for a broader supply chain compromise, with the attacker gaining persistent workflow injection access to every ci / cd pipeline the developer ’ s token can reach, " stepsecurity said. while the malicious version is no longer availab…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1195.001Compromise Software Dependencies and Development Tools

99%

“" checkmarx / ast - github - action, " which was one of the artifacts that was compromised in the checkmarx supply chain incident. the application security vendor described the malicious bitwarden cli as one of the " more capable npm supply chain payloads " published to date. " i…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1195.001Compromise Software Dependencies and Development Tools

98%

“bitwarden cli compromised in ongoing checkmarx supply chain campaign bitwarden cli, the command - line interface for the password manager bitwarden, has reportedly been compromised as part of a newly discovered and ongoing checkmarx supply chain campaign, according to findings fr…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1195.001Compromise Software Dependencies and Development Tools

87%

“4. 0 between 5 : 57 pm and 7 : 30 pm ( et ) on april 22, 2026, in connection with a broader checkmarx supply chain incident. the investigation found no evidence that end user vault data was accessed or at risk, or that production data or production systems were compromised. once …”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1195.002Compromise Software Supply Chain

87%

“bitwarden cli compromised in ongoing checkmarx supply chain campaign bitwarden cli, the command - line interface for the password manager bitwarden, has reportedly been compromised as part of a newly discovered and ongoing checkmarx supply chain campaign, according to findings fr…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1195.001Compromise Software Dependencies and Development Tools

85%

“the question every affected team should be asking right now isn ' t just ' did this package run in my environment? ' it ' s : what secrets were accessible if it did, and have they been rotated? " update for users who installed the trojanized package during the affected window, bi…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1195.001Compromise Software Dependencies and Development Tools

84%

“##tories created under victim accounts using a dune - themed naming scheme in the same format " < word > - < word > - < 3 digits >. " but in an interesting shift, the malware is also designed to quit execution on systems if their locale corresponds to russia. " the shared tooling…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1195.001Compromise Software Dependencies and Development Tools

74%

“specifically, the malicious code is executed by means of a preinstall hook, resulting in the theft of local, ci, github, and cloud secrets. the data is exfiltrated to the domain " audit. checkmarx [. ] cx " and to a github repository as a fallback if the primary method fails. the…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1587Develop Capabilities

71%

“2026. 4. 0 installed can become the entry point for a broader supply chain compromise, with the attacker gaining persistent workflow injection access to every ci / cd pipeline the developer ’ s token can reach, " stepsecurity said. while the malicious version is no longer availab…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1195.001Compromise Software Dependencies and Development Tools

71%

“. as of writing, teampcp ' s x account has been suspended for violating the platform ' s rules. ox security, in a breakdown of the attack, said it identified the string " shai - hulud : the third coming " in the package, suggesting this could likely be the next phase of the suppl…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1195.002Compromise Software Supply Chain

60%

“specifically, the malicious code is executed by means of a preinstall hook, resulting in the theft of local, ci, github, and cloud secrets. the data is exfiltrated to the domain " audit. checkmarx [. ] cx " and to a github repository as a fallback if the primary method fails. the…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1195.002Compromise Software Supply Chain

57%

“4. 0 between 5 : 57 pm and 7 : 30 pm ( et ) on april 22, 2026, in connection with a broader checkmarx supply chain incident. the investigation found no evidence that end user vault data was accessed or at risk, or that production data or production systems were compromised. once …”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1567.001Exfiltration to Code Repository

55%

“. as of writing, teampcp ' s x account has been suspended for violating the platform ' s rules. ox security, in a breakdown of the attack, said it identified the string " shai - hulud : the third coming " in the package, suggesting this could likely be the next phase of the suppl…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1587Develop Capabilities

51%

“##tories created under victim accounts using a dune - themed naming scheme in the same format " < word > - < word > - < 3 digits >. " but in an interesting shift, the malware is also designed to quit execution on systems if their locale corresponds to russia. " the shared tooling…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1587Develop Capabilities

39%

“" checkmarx / ast - github - action, " which was one of the artifacts that was compromised in the checkmarx supply chain incident. the application security vendor described the malicious bitwarden cli as one of the " more capable npm supply chain payloads " published to date. " i…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

Summary

Bitwarden CLI, the command-line interface for the password manager Bitwarden, has reportedly been compromised as part of a newly discovered and ongoing Checkmarx supply chain campaign, according to findings from JFrog and Socket. "The affected package version appears to be @bitwarden/[email protected], and the malicious code was published in 'bw1.js,' a file included in the package contents," the