The attack leverages a trojanized npm package to steal credentials from developer environments connected to Bitwarden CLI workflows.
Attack Method and Infection Chain
Attackers have compromised the Bitwarden command line interface (CLI) tool by publishing a malicious npm package designed to steal developer credentials. The campaign, linked to the Checkmarx supply chain threat group, uses a trojanized version of the legitimate Bitwarden CLI to infect systems. Once installed, the rogue package silently exfiltrates sensitive data including API keys, session tokens, and vault contents from developer environments.
Impact and Scope
This attack primarily targets developers and organizations that use the Bitwarden CLI in automated workflows or CI/CD pipelines. The compromised package has been downloaded thousands of times before discovery. Bitwarden has released a security advisory recommending users verify package integrity and update to the latest clean version. No CVEs have been assigned to this specific supply chain incident yet, but organizations should monitor their systems for unauthorized credential access.
Source: The Hacker News
