Bitwarden CLI Compromised in Ongoing Checkmarx Supply Chain …

Bitwarden CLI npm package got compromised today, looks like part of the ongoing Checkmarx supply chain attack If you’re using @bitwarden/cli version 2026.4.0, you might want to check your setup From what researchers found: – malicious file added (bw1.js) – steals creds from GitHub, npm, AWS, Azure, GCP, SSH, env vars – can read GitHub Actions runner memory – exfiltrates data and even tries to spread via npm + workflows – adds persistence through bash/zsh profiles Some weird indicators: – calls to audit.checkmarx.cx – temp file like /tmp/tmp.987654321.lock – random public repos with dune-style names (atreides, fremen etc.) – commits with “LongLiveTheResistanceAgainstMachines” Important part, this is only the npm CLI package right now, not the extensions or main apps If you used it recently: probably safest to rotate your tokens and check your CI logs and repos Source is Socket research (posted a few hours ago) Curious if anyone here actually got hit or noticed anything weird submitted by /u/ApprehensiveEssay222 [link] [comments]Technical Information Security Content & DiscussionRead More