Bitwarden CLI Compromised in Ongoing Checkmarx Supply Chain Attack

The Bitwarden CLI npm package (version 2026.4.0) was compromised as part of a supply chain attack. The malicious version includes a file (bw1.js) that steals credentials from GitHub, npm, AWS, Azure, GCP, SSH, and environment variables, as well as reads GitHub Actions runner memory. It exfiltrates data, attempts to spread via npm and workflows, and establishes persistence through bash/zsh profiles. Indicators include calls to audit.checkmarx.cx, temporary files like /tmp/tmp.987654321.lock, and suspicious commits referencing "LongLiveTheResistanceAgainstMachines."