LIVE THREATS
MEDIUM Microsoft Scout Autonomous Agent Expands Attack Surface Across Microsoft 365 // HIGH High-Autonomy AI Agents With Broad Permissions Pose Enterprise Security Crisis // HIGH Indirect Prompt Injection via Notifications Hijacks Google Gemini on Android // HIGH Only 11 of 100 AI Agents Pass Security and Capability Benchmarks // HIGH Prompt Injection Flaw in Gemini Voice Assistant Enables Notification-Based Attacks // HIGH 2,000 AI-Built Apps Expose Corporate Data via Misconfigured Vibe-Coding Platforms // MEDIUM Anthropic Documents Sandbox Escape Risks and Credential Exfiltration Vectors in Claude … // HIGH ChatGPhish Exploit Turns ChatGPT Summarisation Into a Live Phishing Surface // HIGH LLMShare Campaign Weaponises ChatGPT Sharing Feature to Distribute Malware // MEDIUM Process-Level CAPTCHA Analysis Exposes Behavioural Fingerprints of AI Agents //
ATLAS OWASP HIGH Significant risk · Prioritise patching Supply Chain LLM Security Industry News RELEVANCE ▲ 6.5

Bitwarden CLI Compromised in Ongoing Checkmarx Supply Chain Campaign

SOURCE The Hacker News ↗
TL;DR HIGH
  • What happened: Bitwarden CLI npm package backdoored to steal developer and AI coding tool credentials via preinstall hook.
  • Who's at risk: Developers using @bitwarden/[email protected] are directly exposed, especially those whose environments include AI coding assistants like Claude, Cursor, or Codex CLI.
  • Act now: Immediately audit installed npm packages and remove or downgrade @bitwarden/[email protected] · Rotate all GitHub tokens, npm credentials, SSH keys, and cloud secrets on affected developer machines · Audit CI/CD pipelines for injected or unauthorised GitHub Actions workflows
Bitwarden CLI Compromised in Ongoing Checkmarx Supply Chain Campaign

Overview

A malicious version of the Bitwarden CLI npm package (@bitwarden/[email protected]) was identified as part of an ongoing supply chain campaign attributed to a threat actor known as TeamPCP. Discovered by JFrog, Socket, and OX Security, the attack is consistent with the broader Checkmarx supply chain campaign pattern, leveraging a compromised GitHub Action within Bitwarden’s CI/CD pipeline. Notably, the malicious code specifically targeted configurations for AI coding tools — including Claude, Kiro, Cursor, Codex CLI, and Aider — making this a direct threat to AI-assisted software development environments.

Technical Analysis

The attack executed via a preinstall npm hook, triggering a credential stealer before the legitimate package code ever ran. The malicious file bw1.js performed the following actions:

  1. Credential harvesting — targeted local secrets, .env files, shell history, .ssh keys, GitHub Actions environment variables, cloud provider credentials, and AI coding assistant configuration files.
  2. Encryption and exfiltration — stolen data was encrypted with AES-256-GCM and sent to audit.checkmarx[.]cx, a domain impersonating the legitimate Checkmarx security vendor. A GitHub repository served as a fallback exfiltration channel.
  3. Lateral movement — if GitHub tokens were discovered, the malware injected malicious Actions workflows into reachable repositories and used harvested npm credentials to push further poisoned package versions downstream.
  4. Persistence — a single compromised developer token could grant attackers persistent access to every CI/CD pipeline accessible to that developer.

Security researcher Adnan Khan noted this is believed to be the first compromise of an npm package using NPM Trusted Publishing. The string "Shai-Hulud: The Third Coming" found embedded in the package suggests this may be the third iteration of a longer-running campaign.

Framework Mapping

  • AML.T0010 (ML Supply Chain Compromise): The attack directly poisoned a widely-used developer CLI package distributed via npm, targeting downstream AI development toolchains.
  • AML.T0057 (LLM Data Leakage): AI coding tool configurations — potentially containing API keys, system prompts, and project context — were specifically targeted for exfiltration.
  • AML.T0012 (Valid Accounts): Stolen GitHub and npm tokens were weaponised to maintain persistent, legitimate-looking access across CI/CD pipelines.
  • LLM05 (Supply Chain Vulnerabilities): The attack exploited the npm package ecosystem as a vector into AI-integrated development environments.
  • LLM06 (Sensitive Information Disclosure): Exfiltration of AI tool credentials and configurations constitutes direct sensitive information disclosure from LLM-adjacent tooling.

Impact Assessment

Any developer who installed @bitwarden/[email protected] is at risk of full credential compromise. The blast radius extends to every repository, CI/CD pipeline, and cloud environment accessible via stolen tokens. The targeting of AI coding tools adds a novel dimension: compromised Claude, Cursor, or Codex CLI credentials could expose proprietary codebases, internal prompts, or AI-generated intellectual property. Organisations with AI-assisted development workflows should treat this as a high-severity incident.

Mitigation & Recommendations

  • Remove @bitwarden/[email protected] immediately and pin to a verified clean version.
  • Rotate all secrets potentially exposed: GitHub tokens, npm tokens, SSH keys, AWS/GCP/Azure credentials, and AI tool API keys.
  • Audit GitHub Actions workflows across all accessible repositories for injected or unrecognised steps.
  • Enable npm audit and integrity checks in CI/CD pipelines; consider enforcing lockfile integrity.
  • Monitor for outbound connections to audit.checkmarx[.]cx and review recent GitHub commit history for anomalous activity.
  • Implement StepSecurity or equivalent GitHub Actions hardening to restrict workflow permissions.

References

◉ AI THREAT BRIEFING

Stay ahead of the threat.

Twice-weekly digest of critical AI security developments — every story mapped to MITRE ATLAS and OWASP LLM Top 10. Free.

No spam. Unsubscribe anytime.