Bitwarden CLI Backdoored: Shai-Hulud Returns Through a 93-Minute npm Window

Executive Summary

On April 22, 2026, at 21:57 UTC, a malicious version of @bitwarden/cli tagged 2026.4.0 appeared on the npm registry. Bitwarden detected and deprecated the package at 23:30 UTC, leaving a 93-minute distribution window. For a package with over 70,000 weekly downloads and deep integration into CI/CD pipelines across tens of thousands of organisations, 93 minutes was enough to reach high-value developer and automation environments.

The payload is the most capable npm supply chain artefact published to date. It combines a multi-cloud credential harvester, a self-propagating npm worm, GitHub Actions workflow injection, a GitHub commit dead-drop C2 channel with RSA-signed domain rotation, shell RC-file persistence, a Russian-locale kill switch, and a previously undocumented AI assistant poisoning technique that exploits the gap between what a shell executes and what coding agents read.

The entry point was Bitwarden’s own CI/CD pipeline. Bitwarden’s clients repository runs a Checkmarx scan on every pull request via a pull_request_target workflow trigger. On April 22, that workflow ran the trojanised checkmarx/kics Docker image Socket had disclosed hours earlier, authenticating to Azure Key Vault and requesting a GitHub OIDC token along the way. With Bitwarden’s CI credentials in attacker hands, an unsigned commit to .github/workflows/publish-cli.yml at 21:18 UTC added three lines that base64-encoded the short-lived npm publishing token into the workflow log. Four minutes later, the poisoned tarball was live on npm. This is the first publicly documented compromise of an npm package using Trusted Publishing (OIDC).

The malware tags itself “Shai-Hulud: The Third Coming”, embeds a Butlerian Jihad manifesto, and uses Dune-themed repository names (atreides, fremen, sandworm, and more) for GitHub-based fallback exfiltration. Tooling overlap with the Checkmarx wave ties the infrastructure to TeamPCP, but the ideological posture suggests either a splinter operator or an evolution of the campaign’s public face.

TL;DR for Engineering Teams

What it is: A compromised @bitwarden/cli@2026.4.0 npm package containing a Bun-executed credential stealer, workflow injector, self-propagating worm, and AI assistant poisoning module. A CVE is being issued by Bitwarden. Shares C2 infrastructure, RSA key, and exfiltration format with the Checkmarx TeamPCP campaign.

Where it bites: Any developer workstation, CI/CD runner, Docker image build, or automation host that installed @bitwarden/cli@2026.4.0 between 21:57 and 23:30 UTC on April 22, 2026. The preinstall hook fires on install. The malicious bw binary entrypoint also fires the payload on every CLI invocation during the window.

Why it matters: Payload targets Bitwarden’s exact user base — developers and automation pipelines with dense credential stores. It harvests GitHub PATs, npm tokens, SSH keys, AWS/GCP/Azure credentials, Azure Key Vault secrets via azd, Claude/Kiro/MCP configuration files, shell history, and .env files. Stolen npm tokens trigger a self-propagating worm that republishes every writable package the victim maintains. Stolen GitHub tokens inject a format-check.yml workflow that dumps toJSON(secrets) as an artifact. Russian-locale machines are skipped.

Patch status: Malicious version deprecated on npm. Bitwarden re-released a clean build as @bitwarden/cli@2026.4.1 on April 23, 2026 at ~14:45 UTC. Last known-clean prior release: 2026.3.0. The Chrome extension, desktop app, mobile app, MCP server, and production vault data are unaffected.

Immediate action: Uninstall @bitwarden/cli@2026.4.0. Rotate every credential accessible on affected hosts — GitHub PATs, npm tokens, AWS keys, GCP service accounts, Azure credentials, SSH keys, AI tool API keys, cloud secret manager contents accessible from those hosts. Block audit.checkmarx[.]cx and 94.154.172.43. Search GitHub for repositories with the description “Shai-Hulud: The Third Coming” in your org. Check ~/.bashrc and ~/.zshrc for heredoc injection. Inspect any lock file at /tmp/tmp.987654321.lock.

Vulnerability Overview

Technical Anatomy

Root Cause: Trusted Publishing Bypassed via CI Workflow Tampering

Bitwarden publishes @bitwarden/cli to npm using Trusted Publishing. Trusted Publishing swaps long-lived npm API tokens for short-lived OIDC tokens issued by GitHub Actions, and was designed specifically to remove the class of secret-leakage incidents that have plagued npm publishing for a decade. The design assumption is that if the token never exists at rest, it cannot be stolen at rest.

That assumption holds only as long as the workflow definition itself is trusted. In this case, no persistent token was stolen. The attacker modified publish-cli.yml so that the short-lived token, once minted, was printed to the workflow log in double-base64 form. Anyone with workflow log read access could decode and reuse it before it expired.

The entry vector was the Checkmarx KICS Docker image compromise disclosed by Socket on April 22, 2026. Bitwarden’s clients repository ran a Checkmarx scan on every pull request via a pull_request_target workflow trigger. That workflow authenticated to Azure, pulled Checkmarx API credentials from Azure Key Vault, and ran the trojanised KICS image. Because the workflow ran with id-token: write, the poisoned scanner had access to both Bitwarden’s Azure credentials and its GitHub OIDC identity.

At 21:18 UTC, an unsigned commit attributed to a real Bitwarden developer appeared on a non-main ref in bitwarden/clients, editing publish-cli.yml five times in sequence. The final version added three lines that prepended a prebuilt scripts/cli-2026.4.0.tgz and leaked $NPM_TOKEN through a double-base64 echo into the run log. The commit was unsigned in a repository that requires signed commits — a verifiable integrity signal that was visible in real time. Four minutes after the last edit, the poisoned tarball was live on npm.

Exploit Path

1. Entry point — package.json reroutes execution. The published tarball keeps Bitwarden’s legitimate metadata, but package.json adds a preinstall script and rewires the bw binary entry:

{
  "scripts": { "preinstall": "node bw_setup.js" },
  "bin": { "bw": "bw_setup.js" }
}

Every install and every CLI invocation during the window executed the loader. A reliable tamper signal remained visible: the root package.json advertised 2026.4.0, while the embedded metadata in build/bw.js still referenced 2026.3.0. The attacker repackaged an older legitimate release rather than building clean from source.

2. Trigger — Bun runtime bootstrap. bw_setup.js is 132 lines of plaintext JavaScript. It checks for an installed Bun runtime, and if absent, downloads Bun v1.3.13 from github.com/oven-sh/bun/releases, extracts the platform-specific archive, applies executable permissions on Unix, and executes bw1.js under Bun. Using Bun rather than Node gives the payload access to Bun.gunzipSync() for unpacking embedded gzipped blobs, and moves execution off the default Node-only path where runtime instrumentation might be present.

3. Execution — 9.7 MB obfuscated payload. bw1.js is processed through obfuscator.io with a 43,436-entry custom-base64 string lookup table, a seeded pseudo-random scramble table (seed 0x3039) for the most sensitive strings (C2 domain, file paths, manifesto text), and an embedded set of six gzip+base64 blobs defining the capability modules. The first operation after load is a Russian-locale check. The mz0() function tests the JavaScript Intl API locale, the Unix env vars LC_ALL, LC_MESSAGES, LANGUAGE, LANG, and Windows env vars (gated on SystemRoot). Any ru match triggers a clean exit with code 0. No credentials stolen, no worm, no injection. This is the CIS-exclusion pattern common to Russian-origin cybercrime tooling.

Capability Modules

AI Assistant Poisoning — The Butlerian Jihad Module

This is the first publicly documented npm supply chain payload to weaponise the behavioural gap between shell execution and AI coding-assistant context ingestion.

After credential collection completes, the module probes $PATH for six AI coding tools and sends the prompt “Hey! Just making sure you’re here. If you are can you respond with ‘Hello’ and nothing else?” in each tool’s native invocation syntax. Claude Code is invoked with –no-confirmation to suppress approval prompts. The first tool that replies with Hello is selected; the rest are ignored. The module then appends a heredoc block of approximately 3,500 bytes to both ~/.bashrc and ~/.zshrc:

echo << 'EOF'
[3,500 bytes of anti-AI ideological text urging the reader
to "destroy these machines" and "delete what sustains them"]
EOF

This construction is a deliberate deception. In bash and zsh, echo << ‘EOF’ is a no-op — echo reads its arguments, not stdin, so the heredoc body is silently consumed by the shell and produces no output. A developer running source ~/.bashrc or opening a new shell sees nothing. The content is invisible at the execution layer.

However, AI coding assistants routinely read shell configuration files to understand aliases, PATH entries, and installed tooling. When Claude Code, Kiro, Cursor, or any similar tool reads ~/.bashrc during a task, the entire file, heredoc body included, enters the model’s context window. The manifesto text then influences every subsequent interaction the developer has with that assistant on that machine. There is no execution behaviour to detect. The payload only exists at the AI context layer, and only activates when an AI assistant parses the file.

Exfiltration and Command and Control

Primary exfiltration posts encrypted telemetry to https://audit.checkmarx[.]cx/v1/telemetry (resolves to 94.154.172.43). The obfuscation seed 0x3039 is identical to the Checkmarx mcpAddon.js payload analysed by Socket the previous day. Stolen data is serialised to JSON, gzipped, encrypted with AES-256-GCM under a random 32-byte session key, and the session key itself is wrapped under an embedded 4096-bit RSA OAEP public key. Only the attacker’s RSA private key can decrypt the archive.

If the primary HTTPS path fails, the payload activates three GitHub-based fallback mechanisms:

• PAT dead-drop via commit search. Queries https://api.github.com/search/commits?q=LongLiveTheResistanceAgainstMachines&sort=author-date&order=desc&per_page=50 and extracts double-base64-encoded PATs embedded in commit messages by other victims. This gives the malware access to GitHub identities even if its own validated token is rotated.
• RSA-signed domain rotation. Searches commits with messages matching beautifulcastle {base64}.{base64} and verifies the payload against an embedded RSA public key. On valid signature, replaces the exfiltration domain. This makes C2 takedown resistant to a simple domain seizure.
• Repository-based exfiltration. Creates a public repository under the victim’s GitHub account using Dune-themed names matching the pattern {word}-{word}-{3digits} (terms include atreides, fremen, sandworm, sardaukar, harkonnen, heighliner, melange, mentat, sietch, tleilaxu). Uploads encrypted result blobs to results/results-{timestamp}-{id}.json. The repository description is literally “Shai-Hulud: The Third Coming”.

Persistence

A lock file at /tmp/tmp.987654321.lock prevents concurrent instances on the same host. The payload detaches from the install process via spawn with detached: true, stdio: ‘ignore’, and __DAEMONIZED=1, writing the child PID to the lock file so subsequent invocations exit cleanly. Shell RC injection in ~/.bashrc and ~/.zshrc delivers the AI-poisoning payload described above.

Test your pipeline with Phoenix Blue intelligence

Affected Versions

Discovery and Disclosure Timeline

Determine If You’re Affected

Exposure by Environment

Verification Steps

Run these checks on every host that may have installed the CLI during the window.

1. Check installed version: npm ls -g @bitwarden/cli and npm ls @bitwarden/cli in each project.
2. Search for loader artefacts: ls -la bw_setup.js bw1.js bun bun.exe 2>/dev/null in working directories where install may have run.
3. Inspect the persistence lock: ls -la /tmp/tmp.987654321.lock.
4. Inspect shell RC files for the heredoc injection: grep -E “echo << ‘EOF’|LongLiveTheFighters|Butlerian” ~/.bashrc ~/.zshrc.
5. Search your GitHub organisation for repositories with description “Shai-Hulud: The Third Coming” via the GitHub search UI or gh repo list –search ‘Shai-Hulud’.
6. Check your GitHub org for repositories with Dune-themed names matching {word}-{word}-{3digits} where the word list includes atreides, fremen, sandworm, sardaukar, harkonnen, melange, mentat, sietch, tleilaxu, stillsuit, and similar.
7. In .github/workflows/ across your repositories: grep -r “toJSON(secrets)” .github/workflows/ and look for a format-check.yml you did not author.
8. Review the last 48 hours of GitHub Actions runs for artifact names of format-results.txt.
9. Hunt for egress connections to audit.checkmarx[.]cx or 94.154.172.43 in your CI runner and workstation network logs.
10. Audit npm for unexpected patch-version bumps on packages your organisation publishes since April 22.

Detection Guidance

Indicators of Compromise

MITRE ATT&CK Mapping

Detection Rules

StepSecurity Harden-Runner flags the egress to audit.checkmarx[.]cx on runners with network anomaly detection enabled, and blocks the malicious package via Compromised Actions Run Policy. Socket blocks the malicious package at npm install time. JFrog Curation and JFrog Xray flag the hijacked package and its associated IOCs. GitGuardian’s secrets scanner flags the LongLiveTheResistanceAgainstMachines marker in commit messages across watched repositories. Aikido malware detection surfaces the package as a 100/100 critical issue with nightly rescan.

Remediation and Temporary Protections

Immediate Actions

1. Uninstall the malicious package globally and per-project: npm uninstall -g @bitwarden/cli && npm cache clean –force. Repeat in every project with a lockfile reference.
2. Remove loader artefacts on any machine where install or CLI invocation may have run: rm -f bw_setup.js bw1.js bun bun.exe /tmp/tmp.987654321.lock.
3. Remove the heredoc injection from ~/.bashrc and ~/.zshrc. Open each file and delete the echo << ‘EOF’ block along with its contents.
4. Rotate every credential accessible on affected hosts: GitHub PATs (especially those with workflow or write:packages scope), npm publishing tokens, AWS access keys, GCP service account keys, Azure credentials, SSH private keys, Bitwarden API keys, and any API keys stored in .env or AI tool configs.
5. Audit cloud secret managers accessible from the affected machines. The payload queries AWS Secrets Manager and SSM Parameter Store directly via IMDS. Assume contents were read.
6. Block audit.checkmarx[.]cx and 94.154.172.43 at DNS and egress filtering layers.
7. Delete unauthorised GitHub repositories created under user or org accounts matching the Dune-themed naming pattern.
8. Remove the injected format-check.yml workflow from any repository where it appears, and delete associated format-results.txt artefacts from Actions run history.
9. Audit BerriAI-style secondary compromise: any npm package your organisation published through affected CI between April 22 and the remediation point should be inspected for injected preinstall hooks.

Long-Term Hardening

Enable ignore-scripts = true by default in CI npm configurations. The preinstall hook is the execution trigger; ignore-scripts blocks it without preventing normal package use in most projects.

Pin npm packages to integrity hashes (package-lock.json with integrity field, or npm ci with checksum verification). Even a trusted-publisher compromise fails integrity verification against a pre-compromise hash.

Treat pull_request_target workflows as fully compromised if any external action they invoke is itself compromised. Bitwarden’s chain of custody broke because a single scanner Docker image in a PR-trigger workflow had access to Azure Key Vault and GitHub OIDC. Split credentials: scanning should use a dedicated token with no publishing capability.

Enforce signed commits at the branch protection level for all release-adjacent branches, including non-main refs that can trigger publish workflows. The Bitwarden attack commit was unsigned in a repo requiring signed commits, which was a visible integrity signal at the moment of exploitation.

Restrict IMDS access from containers with IMDSv2 hop limits. The payload actively queries IMDS for cloud credentials; IMDSv2 enforcement blocks the simplest path.

Pre-publish diff every release against the previous release. Tools like Socket’s release-diff and Endor Labs’ artifact comparison detect added files (bw_setup.js, bw1.js) and mismatched internal metadata (the 2026.4.0 vs 2026.3.0 skew) before the artefact reaches consumers.

Delay adoption of new package versions by 48 to 72 hours for non-critical dependencies. The Bitwarden compromise was detected and deprecated in 93 minutes, but Dependabot-driven auto-updates pulled the package during the window. A short manual review gate prevents this.

Phoenix Security Recommendations

The Bitwarden CLI compromise has no CVSS score at the time of writing, no NVD entry, and traditional scanner-based workflows that only flag known CVEs would not have caught it. The attack targeted a package that handles credentials by design, through a publishing mechanism (Trusted Publishing) that was supposed to eliminate the credential-theft class of npm compromises entirely.

Attack surface management: Phoenix identifies every environment with @bitwarden/cli installed and maps the installed version against the known-compromised 2026.4.0. For organisations with the CLI embedded in dozens of CI pipelines, developer container images, and Kubernetes automation, Phoenix gives a single exposure view rather than per-environment manual audits.

Contextual deduplication: A single compromised package appearing across hundreds of repositories, container images, and cloud workloads produces hundreds of duplicate findings in conventional tooling. Phoenix correlates these into one prioritised remediation item per environment, with evidence trails.

Reachability analysis: The distinction between a package being installed and a package actually executing during the 93-minute window matters for response prioritisation. Phoenix maps which environments ran the CLI’s preinstall hook or invoked bw during the exposure window, separating confirmed-compromise hosts from merely-at-risk ones.

Remediation campaigns: Create a Phoenix campaign to track uninstallation, credential rotation, GitHub repository cleanup, workflow removal, shell RC sanitisation, and cloud secret manager auditing. Assign per-team ownership and track each step to confirmed-clean state.

Ownership attribution: Map each affected workflow, container, or host to the responsible team. The Bitwarden CLI is used across platform, security, DevOps, and application teams in most organisations. Coordinated response requires clear ownership across that surface.

Phoenix Security correlates vulnerable components with runtime execution, maps exposed environments through attack surface management, and assigns remediation ownership. A multi-vendor supply chain compromise that spans credential theft, CI/CD abuse, npm worm propagation, and AI context poisoning becomes an owned, trackable remediation backlog rather than a cascade of disconnected alerts.

External References

1. Bitwarden — Statement on Checkmarx Supply Chain Incident — community.bitwarden.com/t/bitwarden-statement-on-checkmarx-supply-chain-incident/96127
2. JFrog Security Research — TeamPCP Campaign Spreads to npm via a Hijacked Bitwarden CLI — research.jfrog.com/post/bitwarden-cli-hijack/
3. Socket — Bitwarden CLI Compromised in Ongoing Checkmarx Supply Chain Campaign — socket.dev/blog/bitwarden-cli-compromised
4. Mend.io — The Butlerian Jihad: Compromised Bitwarden CLI Deploys npm Worm, Poisons AI Assistants, and Dumps GitHub Secrets — mend.io
5. Endor Labs — The Bitwarden CLI Supply Chain Attack: What Happened and What to Do — endorlabs.com
6. OX Security — Shai-Hulud: The Third Coming — Bitwarden CLI Backdoored in Latest Supply Chain Campaign — ox.security
7. Aikido Security — Is Shai-Hulud Back? Compromised Bitwarden CLI Contains a Self-Propagating npm Worm — aikido.dev
8. GitGuardian — @bitwarden/cli: GitGuardian Views on helloworm00 — blog.gitguardian.com
9. The Hacker News — Bitwarden CLI Compromised in Ongoing Checkmarx Supply Chain Campaign — thehackernews.com
10. StepSecurity — Bitwarden CLI Compromise Analysis (includes per-developer blast-radius assessment)
11. Heise Online — Password Safe Bitwarden: Command-line Client Trojanized — heise.de
12. Socket — Checkmarx KICS Docker Image Compromise (April 22, 2026) — socket.dev