Bitwarden CLI 2026.4.0 Compromised in Checkmarx Supply Chain Attack via GitHub Action
By
tosh
Crackling crust, pillowy middle. The kind of bagel that earns a second cup of coffee.
Summary
Socket researchers discovered that Bitwarden CLI version 2026.4.0 was compromised as part of the ongoing Checkmarx supply chain campaign. The attack targeted the open source password manager serving over 10 million users and 50,000 businesses. Malicious code was published in the bw1.js file, and the attack appears to have leveraged a compromised GitHub Action in Bitwarden's CI/CD pipeline, consistent with patterns seen across other affected repositories in this campaign. The investigation is ongoing.
Key quotes
· 3 pulledSocket researchers discovered that the Bitwarden CLI was compromised as part of the ongoing Checkmarx supply chain campaign.
The open source password manager serves more than 10 million users and over 50,000 businesses.
The attack appears to have leveraged a compromised GitHub Action in Bitwarden's CI/CD pipeline, consistent with the pattern seen across other affected repositories in this campaign.
You might also wanna read
Microsoft uncovers supply chain attack: Compromised @antv npm packages steal CI/CD credentials via Mini Shai-Hulud malware
Microsoft has identified an active supply chain attack targeting the @antv npm package ecosystem. A threat actor compromised an @antv mainta
Microsoft uncovers npm supply chain attack stealing cloud and CI/CD credentials via typosquatted packages
Microsoft identified an active supply chain attack (Mini Shai-Hulud campaign) targeting the npm package ecosystem. On May 28, 2026, a threat
September 2025 NPM supply-chain attack compromises popular JavaScript packages
In September 2025, a coordinated software supply-chain attack targeted multiple popular NPM packages in the JavaScript ecosystem. The attack