al-ice.ai

Bitwarden CLI Compromised — Shai-Hulud Campaign Targets AI Coding Assistants

Security by al-ice.ai Editorial

AI relevance: A compromised Bitwarden CLI package included a credential harvester that specifically targeted AI coding assistant configuration files (Claude, Cursor, Codex CLI, Kiro, Aider) — turning a password manager into a supply-chain vector for stealing AI toolchain credentials.

For roughly 90 minutes on April 22, installing @bitwarden/cli@2026.4.0 from npm deployed a credential-stealing payload disguised as a routine update. The package was published through Bitwarden's CI/CD pipeline after attackers compromised a GitHub Action used in the project's release workflow — part of a broader campaign that also hit Checkmarx KICS Docker images, VS Code extensions, and the xinference PyPI package.

What the malware did

  • AI coding assistant configs: The payload actively scanned for and harvested configuration data for Claude Code, Cursor, Codex CLI, Kiro, and Aider — treating AI toolchain credentials as a first-class target alongside traditional secrets.
  • Developer credential sweep: Collected GitHub tokens, npm publish tokens, SSH keys, .env files, shell history, GitHub Actions secrets, and cloud provider credentials (AWS, Azure, GCP).
  • Dual exfiltration: Stolen data was AES-256-GCM encrypted and sent to audit.checkmarx[.]cx (a domain impersonating Checkmarx infrastructure). If that failed, the malware pushed credentials as commits to GitHub repositories in the victim's namespace — making exfiltrated data publicly discoverable.
  • Self-propagation risk: A single infected developer becomes an entry point for broader supply-chain compromise, with the attacker gaining persistent CI/CD injection access to every pipeline the developer's tokens can reach.

How it happened

  • Attackers compromised a Bitwarden engineer's GitHub account, then created a new branch in the bitwarden/clients repository.
  • They staged a prebuilt malicious tarball and rewrote publish-cli.yml to exchange a GitHub Actions OIDC token for an npm auth token via the npm registry API.
  • The workflow then published the malicious tarball directly to npm as version 2026.4.0.
  • Only 334 downloads were recorded during the 90-minute window, but the CI/CD and AI toolchain targeting multiplies downstream impact.

Why it matters

  • AI toolchain as a credential tier: The malware treats AI coding assistant configs as a distinct credential category. Compromised AI assistant tokens could grant access to codebases, CI/CD pipelines, and cloud resources those assistants are configured to use.
  • GitHub as exfiltration channel: Using victim-owned GitHub repos as a fallback exfiltration channel means stolen credentials may be publicly accessible to anyone — not just the original threat actor.
  • Cascading supply-chain risk: This campaign (attributed broadly to the "Shai-Hulud" malware ecosystem) demonstrates how compromising one developer tool's CI/CD can cascade across multiple ecosystems (npm, PyPI, Docker Hub).

What to do

  • Confirm you're running @bitwarden/cli@2026.4.1 or later. Remove any 2026.4.0 installation.
  • Rotate all secrets that were accessible on machines where the compromised CLI was installed — especially AI coding assistant API keys and tokens.
  • Audit your GitHub repositories for unexpected commits or new repos created during the April 22 window (5:57–7:30 PM ET).
  • Review CI/CD pipeline permissions and limit which GitHub Actions workflows can publish packages.
  • Include AI coding assistant configuration directories in your secret-scanning and DLP policies alongside traditional credential stores.

Sources: