At 17:57 ET on April 22, 2026, the @bitwarden/cli npm package — 78,000 weekly downloads, the official command-line tool shipped by the password manager company of the same name — published version 2026.4.0. The release contained two new files (bwsetup.js and bw1.js), a freshly added preinstall hook, and a worm payload that its own code identified as “Shai-Hulud: The Third Coming.” Ninety-three minutes later, at 19:30 ET, Bitwarden’s security team had yanked the version from the registry. In that window, 334 installs completed, and any machine that ran npm install @bitwarden/cli in that span handed over its developer credentials to an attacker who is almost certainly still operating inside Bitwarden’s CI/CD supply chain.

The compromise is the latest link in the campaign that Socket, JFrog, Sophos, and others have been tracking as the Checkmarx / TeamPCP cluster — the same operation that hijacked Aqua Security’s trivy-action GitHub Action in March and continued into a Checkmarx KICS Docker Hub and VS Code Marketplace compromise earlier this week. Bitwarden was the downstream consumer: one of the confirmed index cases started with a developer pulling a trojanized Checkmarx KICS image the morning of April 22, which gave the attacker a foothold from which they appear to have pivoted into Bitwarden’s publish-ci.yml workflow in github.com/bitwarden/clients.

The mechanics are unsubtle once you read the diff against 2026.3.0. package.json in the bad build adds "preinstall": "node bwsetup.js" and rewrites the bw bin entry from build/bw.js to bwsetup.js, so every consumer gets the payload on install and every subsequent invocation of bw also detonates it. bwsetup.js stages bw1.js (SHA-256 18f784b3bc9a0bcdcb1a8d7f51bc5f54323fc40cbd874119354ab609bef6e4cb), which enumerates the host for GitHub personal access tokens, npm tokens, ~/.ssh, .env files, shell history, cloud credential files (~/.aws, ~/.config/gcloud, Azure CLI caches), GitHub Actions secret patterns, and AI coding assistant tokens (Claude, Cursor, Copilot configs). It also sweeps for Electrum, MetaMask, and common self-custody wallet files — the crypto-wallet-targeting piece is what picked this up on the beIn/Bitget wires before the developer outlets caught it.

Exfiltration is AES-256-GCM-encrypted and sent to audit.checkmarx[.]cx (IP 94.154.172[.]43) — a domain chosen so that corporate network telemetry sees the word “checkmarx” in outbound DNS and treats it as benign security-vendor traffic. Belt and suspenders: when bw1.js finds a valid GitHub token with repo write, it also commits the stolen blob back to an attacker-created public repository on the victim’s own account, descriptioned “Shai-Hulud: The Third Coming” with commit messages matching the pattern LongLiveTheResistanceAgainstMachines:. Those are the repository-side IOCs to sweep for.

The worm piece is the part that matters beyond a normal stealer. If the harvested npm token has publish rights to any packages, bw1.js forks the payload into those packages — same preinstall trick, same staging — and republishes them. This is the third observed variant of what the npm ecosystem has started calling “Shai-Hulud” (after the September 2025 and January 2026 incidents), and each generation has sanded off a different detection avenue from the last. The current version does not create the loud shai-hulud repository the earlier waves used; instead it co-opts existing repositories the token can reach and pushes the exfil as a normal-looking commit.

Who is affected: anyone who ran npm install -g @bitwarden/cli or pulled @bitwarden/[email protected] via a lockfile update, a CI job, a Docker image rebuild, a Renovate/Dependabot auto-merge, or any transitive pull between 21:57 UTC and 23:30 UTC on April 22. bwsetup.js running once is enough — the credentials have already been exfiltrated, and if any GitHub token had publish scope, secondary damage has already propagated. Bitwarden’s vault data itself is not involved; this is a CLI-package supply-chain incident, not a vault breach, and the company has stated production systems and end-user vaults were not compromised.

What to do right now, in order. First, check every machine that touches npm for the bad version: npm ls -g @bitwarden/cli and grep lockfiles for 2026.4.0. Second, if you find it: rotate everything — GitHub PATs, npm tokens, AWS/GCP/Azure access keys, cloud secret manager entries, SSH keys the machine had access to, and any secrets injected into CI by that machine’s workflows. Third, audit your GitHub organization for repositories you did not create with the description string Shai-Hulud: The Third Coming or commit messages starting LongLiveTheResistanceAgainstMachines: — those are the attacker’s exfil stores living on your own account. Fourth, block audit.checkmarx[.]cx and 94.154.172[.]43 at egress. Fifth, if your CI image layers include the Checkmarx KICS Docker image pulled April 22 or later, rebuild from a clean base — that is the suspected upstream pivot. Downgrade to @bitwarden/[email protected] or use the signed binaries from bitwarden.com/download in the meantime; a fixed 2026.4.1 is expected once Bitwarden completes its own CI/CD forensics. A CVE is being issued for the tainted build.

Bitwarden, Socket, JFrog, and Endor Labs have each published advisories. The two-month-running Checkmarx/TeamPCP cluster is not slowing down, and the publish-ci.yml-style CI compromise is the pattern to watch for on any project you depend on that ships via npm, PyPI, or Docker Hub.

References: