Bitwarden CLI Backdoored on npm in 'Shai-Hulud: The Third Coming' Worm Attack (April 2026)
Bitwarden's official @bitwarden/cli npm package was briefly distributed as a credential-stealing, self-propagating worm on April 22, 2026 — the third wave of the 'Shai-Hulud' npm supply chain campaign. A CVE has been issued for version 2026.4.0; users should upgrade to 2026.4.1 and rotate every secret on any affected machine.
Bitwarden's open-source CLI package was briefly distributed as a credential-stealing, self-propagating npm worm on . The malicious release of @bitwarden/cli version 2026.4.0 was live on npm for roughly 93 minutes — between 5:57 PM and 7:30 PM ET, according to Bitwarden's official statement, and embedded a worm researchers at OX Security have dubbed "Shai-Hulud: The Third Coming."
What Happened
OX Security's research team — Moshe Siman Tov Bustan and Nir Zadok — published the technical breakdown on , identifying the malicious release as a new variant of the Shai-Hulud worm that has now hit npm three separate times in the past six months. The worm name comes from a string literally embedded inside the malicious bundle: "Shai-Hulud: The Third Coming." @bitwarden/cli serves over 70,000 weekly downloads and more than 250,000 monthly downloads, making it one of the most consequential single-package compromises of the year so far.
Bitwarden security lead Adam Eckerle confirmed the incident in a community post: "The Bitwarden security team identified and contained a malicious package that was briefly distributed through the npm delivery path for @bitwarden/[email protected] between 5:57 PM and 7:30 PM (ET) on April 22, 2026, in connection with a broader Checkmarx supply chain incident." Bitwarden emphasized that vault data, production systems and the legitimate Bitwarden CLI codebase were not affected — the attacker only briefly hijacked the npm distribution channel, not Bitwarden's source repositories or its hosted vault infrastructure. A CVE for @bitwarden/cli version 2026.4.0 is being issued in connection with the incident.
Key Details
- Affected package and version — only
@bitwarden/[email protected]on npm. Versions≤ 2026.3.0were not affected; the patched release is2026.4.1. - Window of exposure — 5:57 PM – 7:30 PM US Eastern Time on . Per a community post by user grb, only about 334 Bitwarden users downloaded the malicious version during that window.
- What it stole — npm tokens, GitHub tokens, GitHub Actions runner information, and AWS, GCP and Azure cloud credentials. OX confirmed it observed real exfiltrated user data inside attacker-created public GitHub repositories.
- How it propagated — the worm uses a
preinstallhook (bw_setup.js) to invokebw1.js, which then downloads other npm packages owned by the victim, injects malicious code, and republishes them, infecting downstream consumers. - Exfiltration channel — stolen secrets were AES-256-GCM encrypted with the attacker's public key, then uploaded as
results-TIMESTAMP-ID.jsonfiles into new public GitHub repositories created on the victim's own account, using GitHub itself as the C2 server. - Likely Russian origin — the malware exits immediately if the host machine has the Russian language configured, a common self-protection signal that the developers want to avoid infecting their own boxes.
- Linked to a Checkmarx incident — Bitwarden has tied the npm publish-token compromise to a broader Checkmarx supply chain incident. No additional Bitwarden products or environments were impacted.
What Developers and Users Are Saying
Reaction in the Bitwarden Community Forums has been pragmatic but pointed. Within minutes of the official statement, user grb asked Bitwarden to harden its npm publish pipeline using the workflow used by other major maintainers — publish-only environments tied to specific protected branches, mandatory PR review, and an explicit approval step before npm publish runs. Another commenter — Nail1684 — clarified for posterity that "Bitwarden never released any (valid) Bitwarden CLI version 2026.4.0", since the previous official release was 2026.3.0 and the next legitimate release is the patched 2026.4.1.
Across the security industry the reaction is wearier. The Register's Jessica Lyons covered a second npm worm hitting Namastex Labs packages on the very same week — including @automagik/genie, pgserve, @fairwords/websocket, @fairwords/loopback-connector-es and several @openwebconcept packages — that Socket and StepSecurity say shares "strong overlap in attack techniques, tradecraft, and code lineage" with the earlier CanisterWorm and Trivy supply chain attacks attributed to TeamPCP. OX Security argues bluntly that "large-scale attacks through the NPM and PyPI registries could be avoided if stronger code review and guardrails were added during the package upload process."
What This Means for Developers
If you installed @bitwarden/cli from npm during the affected window — 5:57 PM – 7:30 PM ET on April 22, 2026 — Bitwarden's official remediation steps are explicit and non-negotiable:
- Uninstall the malicious package and run
npm cache clean --force. - Temporarily set
npm config set ignore-scripts truewhile you clean up. - Treat the entire machine as compromised. Rotate any secret stored in environment variables or accessible from the box: API tokens, SSH keys, npm tokens, GitHub PATs, and cloud (AWS/GCP/Azure) credentials.
- Review GitHub activity, CI workflows and connected accounts for unauthorized changes — and search for any new public repositories on your account containing the string "Shai-Hulud: The Third Coming".
- Install the patched
@bitwarden/cliversion 2026.4.1 and pin it explicitly in your CI to avoid a repeat exposure window.
Even if you only use the desktop, mobile or browser-extension versions of Bitwarden, you are unaffected — the incident touched only the CLI's npm distribution path, not Bitwarden's vaults or its other clients. The CLI binaries shipped via Bitwarden's GitHub releases were also unaffected.
What's Next
Bitwarden says it has "completed a review of internal environments, release paths, and related systems, and no additional impacted products or environments have been identified at this time", and that it is "in the process of completing a full review and will implement mitigation to prevent such attacks in the future." Watch the bitwarden/clients GitHub releases page and the official community thread for hardening updates — community pressure is already pushing for a publish-environment + branch-protection + mandatory-approval setup that would make a future single-token compromise insufficient to push to npm.
For the broader npm ecosystem, this is the third Shai-Hulud wave in six months on top of fresh CanisterWorm-style infections in Namastex Labs packages the same week. The pattern is now clear: CI/CD publish tokens are the weak link, and self-propagating worms that turn each victim's npm and GitHub credentials into a delivery mechanism for the next attack are quickly becoming the default mode of npm supply chain compromise.
Sources
- Bitwarden Community Forums — official statement by Adam Eckerle, April 23, 2026 — primary source for timeline, affected versions and remediation.
- OX Security — "Shai-Hulud: The Third Coming — Bitwarden CLI Backdoored" by Moshe Siman Tov Bustan & Nir Zadok, April 23, 2026 — primary technical analysis, propagation mechanism and Russian-language check.
- The Register — "Another npm supply chain worm hits dev environments" by Jessica Lyons, April 22, 2026 — coverage of the related Namastex Labs npm worm and Socket/StepSecurity analysis.
- The Hacker News — "Self-Propagating Supply Chain Worm Hijacks npm Packages to Steal Developer Tokens", April 2026 — broader supply chain context.
- bitwarden/clients GitHub Releases — confirms the legitimate release sequence (2026.3.0 → 2026.4.1, with 2026.4.0 deprecated).
Stay up to date with Doolpa
Subscribe to Newsletter →