"The affected package version appears to be @bitwarden/cli@2026.4.0, and the malicious code was published in 'bw1.js,' a file included in the package contents."
"The attack appears to have leveraged a compromised GitHub Action in Bitwarden's CI/CD pipeline, consistent with the pattern seen across other affected repositories in this campaign."
"The rogue version of the package steals GitHub/npm tokens, .ssh, .env, shell history, GitHub Actions and cloud secrets, then exfiltrates the data to private domains and as GitHub commits."
"I believe this is the first time a package using NPM trusted publishing has been compromised."
The Bitwarden CLI package version @bitwarden/cli@2026.4.0 was compromised, containing malicious code in 'bw1.js'. The attack exploited a compromised GitHub Action in Bitwarden's CI/CD pipeline. The rogue package stole sensitive data, including GitHub/npm tokens and cloud secrets, exfiltrating it to private domains. Although the malicious version is no longer available, the compromise follows a pattern seen in the Checkmarx campaign. The threat actor, suspected to be TeamPCP, used a malicious workflow to publish the compromised CLI package, marking a significant breach in NPM trusted publishing.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]