On April 22, 2026, the software supply chain faced a surgical strike. Between 5:57 PM and 7:30 PM ET, a malicious version of the official Bitwarden CLI (@bitwarden/cli@2026.4.0) was published to the npm registry. For 93 minutes, any developer or automated pipeline running a fresh install or update was served a sophisticated infostealer instead of a password manager.+1
While Bitwarden moved with lightning speed to pull the tainted version, the damage potential of this incident is vast. This wasn’t a simple credential grab; it was a self-propagating “worm” designed to harvest high-value cloud secrets and pivot into downstream repositories.
In this deep dive, we analyze the TeamPCP group’s latest campaign—dubbed “Shai-Hulud: The Third Coming”—and provide the immediate steps required to purge this threat from your development environment.
Technical Breakdown: How the Bitwarden CLI Attack Worked
The attack exploited a compromise in Bitwarden’s CI/CD pipeline, specifically targeting a GitHub Action (publish-ci.yml). This allowed the attackers to bypass “trusted publishing” controls and upload a malicious package under the legitimate Bitwarden namespace.
The Loader: bw_setup.js
The infection begins the moment a developer runs npm install. The malicious package utilized a preinstall hook to fire a loader script named bw_setup.js. This script acted as a silent stage-one delivery mechanism, ensuring the environment was suitable for the primary payload.
The Payload: bw1.js (The Shai-Hulud Worm)
Analysis by researchers at JFrog, OX Security, and Socket revealed that the loader fetches bw1.js, a massive 9.7 MB obfuscated JavaScript file.
- Targeting Logic: The malware first checks the host’s language settings. If it detects a Russian-language configuration, it exits—a classic hallmark of threat actors operating from the CIS region looking to avoid domestic legal scrutiny.+1
- Worm Behavior: Unlike static stealers, this payload attempts to self-propagate. It scans the victim’s machine for existing npm packages the developer has permission to publish, injects malicious code, and re-uploads them to npm, potentially infecting thousands of downstream users.
What Was Stolen? A Checklist of Targeted Secrets
The “Shai-Hulud” payload was specifically tuned for the modern developer stack. It didn’t just look for browser cookies; it hunted for the “keys to the kingdom.”
| Target Category | Specific Artifacts Collected |
|---|---|
| Cloud Providers | AWS Credentials (~/.aws/credentials), Azure Key Vault secrets, GCP Secret Manager tokens. |
| VCS & SSH | GitHub CLI tokens, SSH private keys (id_rsa), and known_hosts fingerprints. |
| Registry Access | npm authentication tokens stored in .npmrc. |
| AI Infrastructure | Configuration files for Claude, Cursor, and MCP (Model Context Protocol) servers. |
Export to Sheets
Exfiltration Method: In a creative twist, the malware exfiltrated encrypted data by automatically creating public GitHub repositories on the victim’s account. These repos were consistently tagged with the string: Shai-Hulud: The Third Coming.
Indicators of Compromise (IoCs)
Security teams should immediately audit logs for these signatures.
File Hashes (SHA256)
- bw_setup.js (Loader):
37f34aa3b86db6898065f3ca886031978580a15251f2576f6d24c3b778907336 - bw1.js (Payload):
18f784b3bc9a0bcdcb1a8d7f51bc5f54323fc40cbd874119354ab609bef6e4cb
Network & Metadata
- C2 Endpoint:
audit.checkmarx[.]cx(Impersonating legitimate Checkmarx infrastructure). - GitHub Repository Tags: “Shai-Hulud: The Third Coming”
- Affected Version:
@bitwarden/cli@2026.4.0
Expert Insights: The AI Configuration Pivot
A significant takeaway from this incident is the targeting of AI coding assistant configurations. As developers increasingly use AI agents like Cursor or Claude, they often store high-privilege API keys in local config files.+1
According to Socket, the TeamPCP group is one of the first to explicitly automate the theft of these configs. An attacker who lifts an AI configuration can often chain their access into dozens of other connected services before a single alert is triggered.
Best Practices: Securing Your CI/CD After the Attack
If your team interacted with the Bitwarden CLI during the April 22 window, follow these steps immediately:
- Uninstall and Downgrade: Run
npm uninstall -g @bitwarden/cliand reinstall the safe version:npm install -g @bitwarden/cli@2026.4.1. - Global Secret Rotation: P0 Priority. Rotate all SSH keys, npm tokens, GitHub tokens, and AWS/Azure/GCP secret keys found on the machine.
- Audit GitHub Repositories: Check your organization’s GitHub for any newly created public repositories or unexpected commits.
- Enforce Post-Install Security: Use
npm config set ignore-scripts trueglobally on build servers to prevent the execution of malicious preinstall scripts in the future. - Verify Vault Integrity: While Bitwarden has confirmed that vaults and passwords remain safe, it is a best practice to change your Master Password and rotate 2FA if you suspect the machine hosting your CLI was fully compromised.
FAQs
1. Are my Bitwarden vault passwords compromised?
No. Bitwarden has confirmed that user vault data and production systems were not accessed. The malware targeted the developer environment (tokens, keys, and cloud secrets) rather than the passwords stored inside the vault.+1
2. I use the Bitwarden Browser Extension; am I affected?
No. The attack was isolated to the npm distribution of the CLI. Browser extensions, mobile apps, and desktop applications were unaffected.+1
3. How did the hackers bypass Bitwarden’s security?
The attackers compromised the CI/CD pipeline itself. By owning the automated workflow that publishes the software, they were able to use Bitwarden’s own trusted credentials to sign and upload the malicious version.
4. What is the “Shai-Hulud” reference?
It is a callback to the Dune universe, often used by the TeamPCP group in their malware campaigns. It has appeared in previous attacks against tools like Trivy and LiteLLM.+1
Conclusion: Lessons from the Supply Chain
The Bitwarden CLI incident is a stark reminder that even tools built for security are not immune to the vulnerabilities of the supply chain. The speed of the attack—and the worm-like nature of the payload—shows that 90 minutes is all an adversary needs to potentially compromise an entire ecosystem.
Action Item: Review your dependency management today. Ensure you are pinning versions and auditing your CI/CD pipelines for any unauthorized workflow changes
