A compromised Bitwarden CLI package linked to the Checkmarx campaign has exposed fresh risks in open-source CI/CD security, with AI developer tools now entering the threat landscape.
A supply chain attack targeting the open-source Bitwarden CLI has widened the ongoing Checkmarx campaign, exposing risks spanning developer environments, CI/CD pipelines and AI tooling ecosystems. Researchers from Socket, Ox Security, JFrog Security and StepSecurity traced the compromise to Bitwarden CLI version 2026.4.0, where attackers reportedly abused a GitHub Action to inject malicious code into a hijacked npm package.
The attack targeted one of the most widely used open-source password managers, used by more than 10 million people and 50,000 businesses, underscoring growing concern around trust in open-source software supply chains.
JFrog researcher Meiter Palas said the attackers preserved Bitwarden metadata while rewiring package behaviour to a malicious loader that downloaded a runtime and launched an obfuscated JavaScript payload aimed at stealing developer credentials, cloud secrets and GitHub Actions secrets.
Researchers also flagged what they called the first analysed npm compromise explicitly targeting AI coding tools, including Claude Code, Cursor, Kiro, Codex CLI and Aider.
The malware reportedly could use stolen GitHub tokens to enumerate repositories, inject malicious workflows and turn a compromised developer machine into a broader supply chain pivot.
Bitwarden said the malicious package was available for about 90 minutes, has since been deprecated, and that no evidence suggests end-user vault data or production systems were compromised.
Researchers also linked the attack to evolving Shai-Hulud activity, warning stronger package review guardrails are needed across npm and PyPI.
