Analysis
The official Bitwarden CLI npm package (@bitwarden/cli@2026.4.0) was distributed with a malicious payload for approximately 95 minutes on April 22, 2026 (5:57 PM to 7:30 PM ET). First reported by Socket Research Team, the compromise is a downstream consequence of TeamPCP abusing a GitHub Action in Bitwarden's CI/CD pipeline — the same delivery vector as the earlier Checkmarx kics-github-action compromise.
The payload (bw1.js) shares the same C2 infrastructure, obfuscation approach, and Bun runtime dependency as the Checkmarx mcpAddon.js payload. But bw1.js introduces capabilities not present in the earlier payload: a Russian-locale kill switch, shell-profile persistence via ~/.bashrc and ~/.zshrc, "Shai-Hulud: The Third Coming" GitHub exfiltration repository branding, and embedded debug strings referencing a "butlerian jihad." Bitwarden confirmed no end-user vault data was accessed and no production systems were compromised.
Delivery: GitHub Actions CI/CD compromise
The malicious bw1.js file was bundled into the npm tarball through abuse of a GitHub Action in Bitwarden's CI/CD pipeline. This is the same delivery pattern as the Checkmarx KICS GitHub Action compromise — the operator gained access to a workflow with publish permissions and injected the payload into the build artifact before it was published to npm. No vulnerability in npm, GitHub, or Bitwarden's code is required; the vector is the GitHub Actions workflow with write access to the package registry.
Shared tooling with mcpAddon.js
Socket reports that bw1.js shares three core artifacts with the April 22 Checkmarx mcpAddon.js payload:
- C2 endpoint:
audit.checkmarx[.]cx/v1/telemetry— identical, same IP94.154.172[.]43 - Obfuscation:
__decodeScrambledwith seed0x3039— same implementation - Bun runtime: Same dependency, downloaded from GitHub releases at first run
This is the same toolchain fingerprint that links multiple Mini Shai-Hulud npm payloads. __decodeScrambled with a specific seed is not a generic obfuscator; it is a shared build artifact that constitutes high-confidence attribution to common infrastructure.
New behaviors in bw1.js
Russian-locale kill switch: bw1.js exits silently when Intl.DateTimeFormat().resolvedOptions().locale or LC_ALL, LC_MESSAGES, LANGUAGE, or LANG begins with ru. This pattern appears across multiple TeamPCP payloads (also in the Nx Console Bun payload) and is consistent with the operator deliberately avoiding execution on Russian/CIS systems — either to reduce domestic exposure to law enforcement or to protect infrastructure in those jurisdictions.
Shell-profile persistence: The payload writes itself into ~/.bashrc and ~/.zshrc, ensuring re-execution on every subsequent shell session. This persistence mechanism is distinct from the systemd unit persistence in the durabletask payload and the LaunchAgent persistence in the Nx Console payload — suggesting the operator maintains a library of OS-specific persistence techniques.
Singleton lock and staging artifacts:
- Lock file:
/tmp/tmp.987654321.lock - Staging directories:
/tmp/_tmp_<unix-epoch>/ - Packaging artifact:
package-updated.tgz
"Shai-Hulud: The Third Coming" branding: Victim-account exfiltration repositories use the description "Shai-Hulud: The Third Coming" rather than the "Checkmarx Configuration Storage" description in mcpAddon.js. The "Third Coming" refers to the third wave of the worm — Shai-Hulud (intercom-client), followed by the Checkmarx compromises, followed by Bitwarden. The Dune word pool for repository names is documented in the IOCs.
Embedded debug strings: "Would be executing butlerian jihad!" — a reference to the Dune universe concept of exterminating thinking machines. These debug strings in committed artifacts are Layer 1 artifacts for detection in GitHub audit logs.
Attribution nuance
Socket identified three non-mutually-exclusive explanations for the branding shift from mcpAddon.js to bw1.js: a different operator sub-team reusing shared infrastructure; a splinter group with stronger ideological branding; or an evolution in public posture. The TeamPCP public claim via @pcpcats on April 22, 2026 — "Thank you OSS distribution for another very successful day at PCP inc." — covered the Checkmarx KICS compromise but no comparable public claim surfaced specifically for the Bitwarden payload at time of writing. The toolchain overlap is sufficient to attribute both to the same infrastructure regardless of which sub-team deployed the specific payload.
Indicators of compromise
Affected package: @bitwarden/cli@2026.4.0 (April 22, 2026, 5:57–7:30 PM ET only)
Network indicators (defanged):
audit.checkmarx[.]cx— exfiltration endpoint94.154.172[.]43— C2 IP
Filesystem artifacts:
/tmp/tmp.987654321.lock— singleton lock/tmp/_tmp_<unix-epoch>/— staging directoriespackage-updated.tgz— packaging artifact- Bun runtime or
audit.checkmarx.cxreferences appended to~/.bashrcor~/.zshrc
GitHub artifacts:
- Repositories with description beginning
"Shai-Hulud: The Third Coming" - Repository names using Dune word pool: atreides, cogitor, fedaykin, fremen, futar, gesserit, ghola, harkonnen, heighliner, kanly, kralizec, lasgun, laza, melange, mentat, navigator, ornithopter, phibian, powindah, prana, prescient, sandworm, sardaukar, sayyadina, sietch, siridar, slig, stillsuit, thumper, tleilaxu
- Commit messages beginning
LongLiveTheResistanceAgainstMachines: - Unexpected
.github/workflows/format-check.ymlreferencing${{ toJSON(secrets) }} - Debug strings
"Would be executing butlerian jihad!"in committed artifacts
Remediation
- Upgrade or reinstall @bitwarden/cli to a verified clean version. Version
2026.4.0is the only malicious version. - Remove persistence: Delete
/tmp/tmp.987654321.lock, any/tmp/_tmp_*/staging directories, andpackage-updated.tgz. Removeaudit.checkmarx.cxor Bun runtime entries from~/.bashrcand~/.zshrc. - Rotate all exposed credentials: GitHub tokens, SSH keys, AWS/Azure/GCP credentials, npm publishing tokens, environment-variable secrets, Bitwarden vault material accessible via CLI session, Claude and MCP configuration material.
- Audit GitHub for "Shai-Hulud" repositories and unexpected
format-check.ymlworkflow commits. Delete unauthorized repositories and revoke the tokens used to create them. - Review npm packages you maintain for unexpected patch releases — the worm propagates through stolen
.npmrcpublishing tokens.
Criminal-market signal
No dark-web presence for Bitwarden CLI compromise tooling has been observed. The shared audit.checkmarx.cx infrastructure confirmed across the Checkmarx and Bitwarden payloads applies the H2 (operator-run, no commodity market) assessment. The Russian-locale kill switch is consistent with a domestic-protection pattern in Eastern European cybercrime operations, not with commodity malware distribution.