On April 22, a malicious iteration of Bitwarden’s command-line interface surfaced on npm under the official name @bitwarden/[email protected]. For 93 minutes, users who downloaded it via npm inadvertently received a compromised version instead of the legitimate application.
Bitwarden promptly removed the package and stated there was no evidence that attackers accessed user vault data or production systems.
The security firm JFrog investigated the malicious code and discovered its primary targets included GitHub tokens, npm tokens, SSH keys, shell history, AWS credentials, GCP credentials, Azure credentials, GitHub Actions secrets, and AI tooling configuration files. These elements are crucial for controlling how teams develop, deploy, and manage their infrastructure.
The table below outlines the targeted data types, where they typically reside, and their operational significance:
| Targeted Secret / Data Type | Where it Usually Lives | Why it Matters Operationally |
|—————————–|————————————–|————————————————————————-|
| GitHub tokens | Developer laptops, local config, CI environments | Enables repo access, workflow abuse, secret listing, lateral movement through automation |
| npm tokens | Local config, release environments | Can be used to publish malicious packages or alter release flows |
| SSH keys | Developer machines, build hosts | Opens access to servers, internal repos, and infrastructure |
| Shell history | Local machines | Reveals pasted secrets, commands, internal hostnames, workflow details |
| AWS credentials | Local config files, environment variables, CI secrets | Exposes cloud workloads, storage, and deployment systems |
| GCP credentials | Local config files, environment variables, CI secrets | Exposes cloud projects, services, and automation pipelines |
| Azure credentials | Local config files, environment variables, CI secrets | Exposes cloud infrastructure, identity systems, and deployment paths |
| GitHub Actions secrets | CI/CD environments | Gives access to automation, build outputs, deployments, downstream secrets |
| AI tooling / config files | Project directories, local dev environments | Exposes API keys, internal endpoints, model settings, related credentials|
Bitwarden serves over 50,000 businesses and 10 million users. Its documentation describes the CLI as a “powerful, fully-featured” method to access and manage vaults, including in automated workflows authenticated by environment variables. Bitwarden recommends npm as the simplest installation route for those familiar with the registry.
JFrog’s analysis revealed that the malicious package manipulated both the preinstall hook and the bw binary entrypoint to a loader that fetched the Bun runtime and executed an obfuscated payload upon install and runtime, allowing attackers to harvest credentials without accessing stored passwords.
Security firm Socket indicated that the attack likely exploited a compromised GitHub Action in Bitwarden’s CI/CD pipeline. This aligns with patterns observed by Checkmarx researchers. Bitwarden confirmed its connection to the broader Checkmarx supply chain campaign.
Npm’s trusted publishing model aims to mitigate such risks by replacing long-lived tokens with OIDC-based authentication, though it doesn’t guarantee workflow safety. The release logic itself remains a vulnerability if compromised.
The incident underscores that even when attackers exploit official distribution channels, the integrity of associated workflows is crucial in preventing malware dissemination.
Compromised release workflows can expose CI pipelines and credentials. JFrog showed that once a GitHub token was acquired by the malware, it could validate it, enumerate writable repositories, list secrets, create branches, commit workflows, execute them, download artifacts, and clean up.
This incident exemplifies how a compromised developer machine installing a tainted package can serve as a conduit to broader organizational access. Similar structural compromises have been observed in other sectors, such as the Bybit case involving a tampered Safe web UI.
Checkmarx disclosed multiple incidents within 60 days, highlighting ongoing threats to trusted tooling channels and release processes. JFrog’s findings on Trivy and LiteLLM illustrate how one compromised component can lead to further malicious activities.
Bitwarden’s breach is part of a growing trend of attacks targeting release workflows and package registries as primary vectors. The true root cause remains undisclosed, but the connection to Checkmarx’s campaign has been established.
Ultimately, this incident could redefine what constitutes an “official” package by emphasizing workflow integrity over mere publisher identity. Without enhanced provenance verification becoming standard practice, official labels may continue to mislead consumers regarding underlying security assurances.