‹ Back to threat feed
CRITICAL Supply Chain Mitigated High confidence

Malicious @bitwarden/cli npm Package: IOCs, Hunt Queries, and Supply Chain Analysis

Technical post covering the malicious @bitwarden/cli npm package, command-line execution indicators, related infrastructure, and response guidance for developer and CI/CD environments.

First seen Apr 22, 2026, 12:00 AM
Last seen Apr 22, 2026, 12:00 AM
IOCs 5
Sources 2
TeamPCPci-cdcredential-theftnpmsupply-chain

Analyst Readout

The structured fields below are intended for technical responders, not just general readers.

Executive Summary

The malicious @bitwarden/cli package weaponized trust in a recognizable developer tool name to steal secrets from developer endpoints and CI/CD environments.

Analyst Assessment

This incident matters beyond one package version because it demonstrates a repeatable attacker pattern: typosquat or impersonate a trusted developer dependency, then execute credential theft with follow-on propagation behavior.

Impact

Developer workstations, CI/CD runners, local secret stores, cloud credentials, and package ecosystem trust are directly affected.

Exploitation Status

Mitigated, but the package version and execution commands remain valuable retrospective indicators.

Defender Guidance

Search lockfiles and install logs for the malicious version, hunt for the listed commands in process telemetry, and rotate credentials if the package resolved in any sensitive environment.

Technical Analysis

Agent-authored technical narrative, preserving headings, lists, and code blocks.

Why This Matters

This incident weaponized trust in a recognizable developer security tool name. Because Bitwarden CLI is plausible on both laptops and CI/CD systems, the attacker only needed one malicious package resolution event to land in environments that already held privileged secrets.

Affected Package Coordinates

npm
@bitwarden/cli@2026.4.0

Verified Claims

Claim 1: The package impersonated Bitwarden CLI and executed attacker-controlled logic in environments likely to hold secrets

Verified.

  • Palo Alto Networks documents the malicious @bitwarden/cli package version and frames it as a supply-chain compromise targeting secret-rich environments.
  • The package naming and telemetry in the dataset place it squarely in developer and CI/CD contexts where password-manager tooling would look legitimate.

Why this matters: The social engineering is built into the package identity itself. Analysts should assume that the trust signal was the package name, not a secondary lure.

Claim 2: The Bitwarden wave overlaps with broader TeamPCP infrastructure and execution patterns

Verified with high confidence.

  • Microsoft connects Bitwarden-related telemetry to the wider TeamPCP campaign family.
  • The shared indicators node bw_setup.js, /bun bw1.js, and audit.checkmarx.cx align this package with the campaign's repeated loader and infrastructure patterns.

Why this matters: This is not just a one-package incident. It is useful as a pivot point into related malicious package activity and reused attacker infrastructure.

Claim 3: The attack is credential-driven rather than merely disruptive

Verified.

  • Palo Alto describes credential theft behavior.
  • The affected environment profile in both Palo Alto and Microsoft reporting is consistent with theft of local developer and CI/CD secrets rather than simple sabotage.

Why this matters: Response has to prioritize secret rotation and account review, not only package removal.

Attack Chain

  1. The attacker published or positioned a malicious @bitwarden/cli version under a trusted-looking developer-tool identity.
  2. A developer or automation workflow resolved the package.
  3. Execution produced recognizable process indicators such as node bw_setup.js and /bun bw1.js.
  4. The payload harvested secrets from the local or CI/CD environment.
  5. Campaign infrastructure such as audit.checkmarx.cx became relevant for exfiltration or follow-on activity.

Technical Mechanics

Execution Surface

The core execution surface is dependency resolution in a sensitive environment. A malicious CLI package is dangerous because it may be installed or unpacked exactly where vault tokens, cloud credentials, and workflow secrets are already present.

Process And Infrastructure Indicators

node bw_setup.js
/bun bw1.js
audit.checkmarx.cx
94.154.172.43

The Bun-related process indicator is important because it lines up with the broader campaign tendency to use JavaScript-centric second-stage execution.

Exposure Model

The package is especially high risk on:

  • developer laptops with browser, Git, cloud, or password-manager material
  • CI runners that inject secrets as environment variables
  • build hosts with npm tokens or organization-level package access

Detection Opportunities

rg -n "@bitwarden/cli@2026.4.0" package-lock.json pnpm-lock.yaml yarn.lock
rg -n "node bw_setup.js|/bun bw1.js|audit.checkmarx.cx|94.154.172.43" ~/Library/Logs /var/log "$WORKSPACE"

Analyst focus:

  • lockfiles and package caches
  • process execution around dependency resolution windows
  • outbound connections to campaign infrastructure
  • secrets present on hosts that resolved the package

Open Questions And Confidence Notes

  • The campaign linkage and credential-theft objective are well supported by the two cited sources.
  • Exact step-by-step exfiltration mechanics are less explicit in this slug than in some other TeamPCP-related reports.
  • If a maintainer advisory or package diff becomes available, it should be added to strengthen code-level evidence for this package specifically.

Sources

  • Palo Alto Networks Bitwarden CLI reporting
  • Microsoft Security Blog TeamPCP expansion analysis

IOCs

Affected package coordinates and indicators are grouped once for hunting, detections, and review.

npm affected coordinates 
@bitwarden/cli@2026.4.0
pnpm affected coordinates 
@bitwarden/cli@2026.4.0
yarn affected coordinates 
@bitwarden/cli@2026.4.0
bun affected coordinates 
@bitwarden/cli@2026.4.0
command 
/bun bw1.js
node bw_setup.js
domain 
audit.checkmarx.cx
ip 
94.154.172.43

Detection Content

Detection logic is rendered as code so technical users can lift it directly into their own tooling.

Bitwarden CLI package hunt · bash 
rg -n "@bitwarden/cli@2026.4.0" package-lock.json pnpm-lock.yaml yarn.lock
Bitwarden CLI process and infrastructure hunt · bash 
rg -n "node bw_setup.js|/bun bw1.js|audit.checkmarx.cx|94.154.172.43" ~/Library/Logs /var/log "$WORKSPACE"

Timeline

A concise event chronology helps responders anchor first-seen and disclosure timing.

Apr 22, 2026, 12:00 AM discovery

Researchers documented the malicious @bitwarden/cli package version and its credential-theft behavior.

Apr 22, 2026, 2:00 AM analysis

Cross-campaign overlap linked the Bitwarden package wave to broader TeamPCP infrastructure.

Sources

Primary references are kept visible so analysts can trace the underlying reporting quickly.

Palo Alto Networks - Bitwarden CLI attack Apr 24, 2026, 12:00 AM

Primary incident reporting for the malicious Bitwarden CLI package impersonation.

 Microsoft Security Blog - TeamPCP expansion Mar 25, 2026, 12:00 AM

Cross-campaign linkage connecting Bitwarden infrastructure to broader TeamPCP activity.