Checkmarx supply chain hack impacts Bitwarden CLI

Bitwarden CLI was reported by Socket and JFrog researchers to have been affected by the TeamPCP-linked supply chain intrusion against Checkmarx, according to The Hacker News.

Such an intrusion was already confirmed by Bitwarden, which stressed that its end-user vault data was not compromised. Attackers reportedly leveraged a compromised GitHub Action in the CI/CD pipeline to upload a malicious @bitwarden/cli package to npm, but the malicious package has been removed. The "Shai-Hulud: The Third Coming" string was discovered by OX Security in the malicious package, which references a supply chain attack campaign from last year.

"The latest Shai Hulud incident is just the latest in a long chain of threats targeting developers around the world. User data is being publicly exfiltrated to GitHub, often going undetected because security tools typically don't flag data being sent there," said OX Security's Moshe Siman Tov Bustan. Bitwarden said a CVE for Bitwarden CLI version 2026.4.0 is being released and has confirmed that no additional affected environments and products have been identified at this time.