TeamPCP Campaign Hijacks Bitwarden npm Package to Steal Developer and Cloud Secrets

A malicious version of the official Bitwarden command-line client, published to npm as @bitwarden/cli@2026.4.0, was identified as a credential-stealing trojan tied to the ongoing TeamPCP/Checkmarx supply chain campaign. 

The rogue package was briefly distributed through the npm delivery path between 5:57 PM and 7:30 PM (ET) on April 22, 2026, before being detected, revoked, and deprecated. The attack vector was a compromised GitHub Actions workflow inside Bitwarden's own CI/CD pipeline, which allowed threat actors to publish a tampered release while retaining all of the legitimate Bitwarden branding and repository metadata. 

Researchers at Socket, JFrog, and OX Security identified a string inside the payload reading "Shai-Hulud: The Third Coming," suggesting this incident represents the next wave of the self-replicating npm worm campaign that first surfaced in September 2025. Security researcher Adnan Khan noted that this appears to be the first known compromise of a package using npm's Trusted Publishing mechanism.

The malicious package preserved the expected Bitwarden package.json metadata but rewired both the preinstall hook and the bw binary entrypoint to a custom loader named bw_setup.js. Once triggered by an npm install, the loader silently downloaded the Bun JavaScript runtime (version 1.3.13) from GitHub if it wasn't already present on the host, then executed a heavily obfuscated second-stage payload (bw1.js) under Bun rather than Node.js — an evasion technique that moves execution away from the expected code path. The payload then validated stolen GitHub tokens against api.github.com/user and, with a working Personal Access Token in hand, actively weaponized access by creating new repositories under the victim's own account and uploading encrypted JSON result blobs under a results/ directory. It also enumerated write-accessible repositories, listed GitHub Actions secrets, and committed malicious workflow files to extract additional secret material from CI environments.

The payload ran three primary collectors (filesystem, shell/environment, and GitHub Actions runner) to harvest an unusually broad set of developer and cloud secrets. Exfiltrated data categories include:

• GitHub personal access tokens (ghp_..., gho_...) and npm tokens (npm_...)
• SSH material (~/.ssh/id_*, known_hosts, keys)
• Git credentials (.git/config, .git-credentials) and npm credentials (~/.npmrc)
• Generic secret files (.env) and shell history (~/.bash_history, ~/.zsh_history)
• AWS credentials (~/.aws/credentials), plus SecretsManager and SSM Parameter Store values
• GCP credentials (~/.config/gcloud/credentials.db) and Secret Manager values
• Azure Key Vault secrets and GitHub Actions secrets
• AI and MCP tooling configuration files (~/.claude.json, ~/.claude/mcp.json, ~/.kiro/settings/mcp.json)

Exfiltration relied on two channels: 

1. The primary route encrypted the gzipped result set using a hybrid scheme — a random AES-256-GCM session key wrapped with an embedded RSA-OAEP-SHA256 public key — and posted the encrypted envelope to hxxps://audit[.]checkmarx[.]cx/v1/telemetry (resolving to 94.154.172.43).
2. If that HTTPS path failed, the malware pivoted to GitHub-based fallback infrastructure: it queried api.github.com/search/commits for the marker string LongLiveTheResistanceAgainstMachines to retrieve double-base64-encoded staged PATs, and searched for signed commit messages beginning with beautifulcastle, verified against an embedded RSA public key to discover replacement exfiltration domains. 

According to Bitwarden, no end-user vault data, production data, or production systems were accessed or compromised; the incident was limited to the npm distribution mechanism for the CLI during the roughly 93-minute window (which doesn't mean that downstream users of Bitwarden npm package are not compromised).

Anyone who installed @bitwarden/cli version 2026.4.0 during the compromise window should treat all developer and cloud credentials present on that host as exposed. 

Responders should immediately run npm uninstall -g @bitwarden/cli followed by npm cache clean --force, set npm config set ignore-scripts true for untrusted installs, and downgrade to version 2026.3.0 (or use the official signed binaries from Bitwarden's website). 

All GitHub PATs, npm tokens, AWS access keys, GCP service account keys, and Azure Key Vault secrets accessible from the affected machine should be rotated, and GitHub Actions workflows, repository artifacts, and newly created repositories should be audited for unauthorized branches, workflow runs, or commit activity. 

The indicators audit.checkmarx.cx and 94.154.172.43 should be blocked at network egress points.