Overview
- Bitwarden said the @bitwarden/cli@2026.4.0 package was malicious for a 93‑minute window on Wednesday, April 22, and it found no evidence of vault or production data access before deprecating the release.
- The rogue build used a compromised GitHub Actions workflow to swap in a loader that fetched a Bun runtime and executed bw1.js, which stole GitHub and npm tokens, SSH keys, cloud credentials, and exfiltrated data to a checkmarx.cx endpoint and public GitHub repos.
- Security firms report a parallel self‑spreading worm in the npm ecosystem that runs at install time, harvests secrets, and repackages any npm projects it can publish using stolen tokens, with optional PyPI propagation when Python credentials are present.
- Analysts link the Bitwarden incident to the recent Checkmarx compromise through shared tooling, endpoints, and payload structure, while attribution remains disputed as artifacts reference TeamPCP and Shai‑Hulud campaign markers.
- Defenders are urged to remove affected versions, rotate all tokens and keys, and audit CI/CD logs for unauthorized workflows or publishes because stolen credentials can let attackers republish tainted packages and move deeper into build systems.