Security researchers have discovered that the Bitwarden command line interface (CLI) package was compromised as part of a broader, ongoing supply chain attack linked to Checkmarx. The finding was announced by application security firms JFrog and Socket.

The affected package version is identified as @bitwarden/[email protected]. According to the security researchers, Malicious code was published within a file named “bw1.js,” which was included as part of the package contents. The specific mechanisms of the attack and the full extent of the compromise are still under investigation.

Details of the Compromise

The malicious code was uploaded to the npm registry under a package name that closely mimicked the legitimate Bitwarden CLI tool. This form of impersonation, often called typo-squatting, is a common tactic in supply chain attacks aimed at tricking developers into downloading malicious dependencies.

The compromised file, “bw1.js,” is reportedly designed to execute malicious operations while appearing to be a legitimate part of the Bitwarden CLI source code. JFrog and Socket have stated that the attack likely leveraged an existing vulnerability or a compromised credential related to a developer account or automated pipeline within the software supply chain.

Broader Campaign Context

This incident is not isolated. It has been tied to an ongoing campaign reportedly originating from or involving Checkmarx, a prominent provider of application security testing solutions. The campaign appears to target development tools and popular open source packages used by enterprise systems, aiming to inject backdoors or steal sensitive data, such as authentication tokens and environment variables.

The exposure of the Bitwarden CLI package is particularly concerning because developers and DevOps teams frequently use the CLI to manage secrets, passwords, and other sensitive credentials from the command line. A compromise at this level could give attackers access to critical infrastructure or user data.

Immediate Security Recommendations

Organizations that have used or installed the affected Bitwarden CLI version are advised to audit their systems for signs of compromise. Security teams should check for the presence of the “bw1.js” file and any unexpected outbound network traffic. Researchers also recommend rotating all credentials, tokens, and secrets that may have been exposed through the use of the compromised package.

The malicious package is believed to have had a limited lifespan on the npm registry before it was taken down. However, users who downloaded the package during that window remain at risk until a full cleanup is performed.

Industry Response and Investigations

Both JFrog and Socket have reported their findings to the relevant package registries and security bodies. The npm security team has likely removed the malicious version and is working to prevent similar impersonations in the future. Bitwarden has not yet issued a formal public statement regarding the compromise of the CLI package or any impact on its backend infrastructure or other services.

The Checkmarx supply chain campaign has drawn attention to the vulnerabilities inherent in open source software distribution. These attacks continue to highlight the need for stronger validation of package integrity and more rigorous authentication for publisher accounts on platforms like npm.

Looking Forward

Further analysis of the malicious code and the attack vector is expected from security researchers in the coming days. Developers are urged to verify the integrity of their software dependencies using checksums or signed commits and to consider implementing stronger package inspection tools as part of their continuous integration pipelines. The incident serves as a reminder of the persistent risks in the open source software ecosystem and the importance of proactive supply chain security measures.

Source: JFrog, Socket