LIVE THREATS
CRITICAL Paloalto's Zealot successfully attacks misconfigured cloud environments // HIGH Bitwarden CLI Compromised in Ongoing Checkmarx Supply Chain Campaign // HIGH Bad Memories Still Haunt AI Agents // CRITICAL ChatGPT's code runtime silently exfiltrates user data via malicious prompt // HIGH Claude's Mythos rival: Chinese Cybersecurity Firm claims finding 1000 vulnerabilities // CRITICAL Vertex AI agents can be weaponized to steal GCP service credentials // CRITICAL Project Glasswing Proved AI Can Find the Bugs. Who's Going to Fix Them? // HIGH AI-powered defense for an AI-accelerated threat landscape // HIGH SentinelOne's AI-powered EDR autonomously claims blocking a Claude Zero Day Supply Chain … // CRITICAL Critical OpenClaw flaw lets low-privilege attackers silently seize full admin control //
ATLAS OWASP HIGH Significant risk · Prioritise patching Supply Chain LLM Security Industry News RELEVANCE ▲ 6.5

Bitwarden CLI Compromised in Ongoing Checkmarx Supply Chain Campaign

SOURCE The Hacker News ↗
TL;DR HIGH
  • What happened: Bitwarden CLI npm package backdoored to steal developer and AI coding tool credentials via preinstall hook.
  • Who's at risk: Developers using @bitwarden/[email protected] are directly exposed, especially those whose environments include AI coding assistants like Claude, Cursor, or Codex CLI.
  • Act now: Immediately audit installed npm packages and remove or downgrade @bitwarden/[email protected] · Rotate all GitHub tokens, npm credentials, SSH keys, and cloud secrets on affected developer machines · Audit CI/CD pipelines for injected or unauthorised GitHub Actions workflows
Bitwarden CLI Compromised in Ongoing Checkmarx Supply Chain Campaign

Overview

A malicious version of the Bitwarden CLI npm package (@bitwarden/[email protected]) was identified as part of an ongoing supply chain campaign attributed to a threat actor known as TeamPCP. Discovered by JFrog, Socket, and OX Security, the attack is consistent with the broader Checkmarx supply chain campaign pattern, leveraging a compromised GitHub Action within Bitwarden’s CI/CD pipeline. Notably, the malicious code specifically targeted configurations for AI coding tools — including Claude, Kiro, Cursor, Codex CLI, and Aider — making this a direct threat to AI-assisted software development environments.

Technical Analysis

The attack executed via a preinstall npm hook, triggering a credential stealer before the legitimate package code ever ran. The malicious file bw1.js performed the following actions:

  1. Credential harvesting — targeted local secrets, .env files, shell history, .ssh keys, GitHub Actions environment variables, cloud provider credentials, and AI coding assistant configuration files.
  2. Encryption and exfiltration — stolen data was encrypted with AES-256-GCM and sent to audit.checkmarx[.]cx, a domain impersonating the legitimate Checkmarx security vendor. A GitHub repository served as a fallback exfiltration channel.
  3. Lateral movement — if GitHub tokens were discovered, the malware injected malicious Actions workflows into reachable repositories and used harvested npm credentials to push further poisoned package versions downstream.
  4. Persistence — a single compromised developer token could grant attackers persistent access to every CI/CD pipeline accessible to that developer.

Security researcher Adnan Khan noted this is believed to be the first compromise of an npm package using NPM Trusted Publishing. The string "Shai-Hulud: The Third Coming" found embedded in the package suggests this may be the third iteration of a longer-running campaign.

Framework Mapping

  • AML.T0010 (ML Supply Chain Compromise): The attack directly poisoned a widely-used developer CLI package distributed via npm, targeting downstream AI development toolchains.
  • AML.T0057 (LLM Data Leakage): AI coding tool configurations — potentially containing API keys, system prompts, and project context — were specifically targeted for exfiltration.
  • AML.T0012 (Valid Accounts): Stolen GitHub and npm tokens were weaponised to maintain persistent, legitimate-looking access across CI/CD pipelines.
  • LLM05 (Supply Chain Vulnerabilities): The attack exploited the npm package ecosystem as a vector into AI-integrated development environments.
  • LLM06 (Sensitive Information Disclosure): Exfiltration of AI tool credentials and configurations constitutes direct sensitive information disclosure from LLM-adjacent tooling.

Impact Assessment

Any developer who installed @bitwarden/[email protected] is at risk of full credential compromise. The blast radius extends to every repository, CI/CD pipeline, and cloud environment accessible via stolen tokens. The targeting of AI coding tools adds a novel dimension: compromised Claude, Cursor, or Codex CLI credentials could expose proprietary codebases, internal prompts, or AI-generated intellectual property. Organisations with AI-assisted development workflows should treat this as a high-severity incident.

Mitigation & Recommendations

  • Remove @bitwarden/[email protected] immediately and pin to a verified clean version.
  • Rotate all secrets potentially exposed: GitHub tokens, npm tokens, SSH keys, AWS/GCP/Azure credentials, and AI tool API keys.
  • Audit GitHub Actions workflows across all accessible repositories for injected or unrecognised steps.
  • Enable npm audit and integrity checks in CI/CD pipelines; consider enforcing lockfile integrity.
  • Monitor for outbound connections to audit.checkmarx[.]cx and review recent GitHub commit history for anomalous activity.
  • Implement StepSecurity or equivalent GitHub Actions hardening to restrict workflow permissions.

References