The Bitwarden and Checkmarx Double Breach: When Your Security Tools Become the Attack Vector

On 22 April 2026, two of the most trusted names in developer security — Bitwarden and Checkmarx — were compromised within hours of each other. Both attacks targeted CI/CD pipelines, both exfiltrated developer credentials, and both appear to be the work of the same threat actor: TeamPCP, the group behind previous strikes on Trivy and LiteLLM.

If your team relies on either tool — and most development teams rely on at least one — you need to understand what happened, what it means for your security posture, and what to do next.

TL;DR

• A malicious @bitwarden/cli npm package (v2026.4.0) was distributed for ~90 minutes on 22 April via a compromised GitHub Action in Bitwarden’s CI/CD pipeline
• Checkmarx’s KICS tool was simultaneously compromised — malicious Docker images and VSCode extensions harvested developer credentials for ~84 minutes
• Both attacks exfiltrated npm tokens, GitHub tokens, SSH keys, and cloud credentials (AWS, Azure, GCP) using AES-256-GCM encryption
• The Bitwarden malware included self-propagation capabilities, injecting malicious code into other packages the victim could publish
• TeamPCP is attributed to both campaigns, continuing a pattern that includes Trivy and LiteLLM supply chain compromises
• Development teams should rotate all credentials immediately if either tool was updated during the attack window

The Bitwarden CLI Compromise: 90 Minutes of Mayhem

The attack began with a compromised GitHub Action in Bitwarden’s CI/CD pipeline. Attackers used this foothold to push a malicious version (2026.4.0) of the @bitwarden/cli package to npm.

The malicious package was live between 5:57 PM and 7:30 PM ET — roughly 90 minutes. In that narrow window, the payload did considerable damage.

How the payload worked

The malware was surprisingly sophisticated for a smash-and-grab operation:

1. Custom loader (bw_setup.js) — checked for the Bun runtime, downloading and installing it if absent
2. Obfuscated stealer (bw1.js) — harvested npm tokens, GitHub authentication tokens, SSH keys, and cloud credentials from AWS, Azure, and Google Cloud
3. Encrypted exfiltration — stolen data was encrypted with AES-256-GCM and uploaded to automatically created GitHub repositories under the victim’s own account
4. Self-propagation — the malware identified other packages the victim had write access to and injected them with malicious code, enabling downstream supply chain attacks

That last point is what makes this particularly dangerous. A single infected developer could unknowingly spread the malware to every package they maintain — turning one compromise into dozens.

The Checkmarx KICS Breach: Your Security Scanner Was the Threat

Running in parallel, attackers compromised multiple distribution channels for Checkmarx’s KICS (Keeping Infrastructure as Code Secure) tool — a tool explicitly designed to find security vulnerabilities in infrastructure code.

The irony writes itself.

Multiple attack vectors

Unlike the Bitwarden compromise, which hit a single package registry, the KICS attack was multi-pronged:

• Docker Hub — malicious images pushed to the official checkmarx/kics repository
• VSCode extensions — compromised versions on both the VSCode Marketplace and Open VSX
• GitHub Actions — the ast-github-action was also affected

The VSCode extension downloaded a hidden “MCP addon” from a hardcoded GitHub URL. This mcpAddon.js component harvested the same credential types as the Bitwarden payload — GitHub tokens, cloud credentials, npm tokens, SSH keys, and even Claude configuration files.

Stolen data was exfiltrated to audit.checkmarx[.]cx — a domain carefully crafted to impersonate legitimate Checkmarx infrastructure. The dangerous window lasted approximately 84 minutes, from 14:17 to 15:41 UTC on 22 April.

The TeamPCP Connection

Security researchers have linked both attacks to TeamPCP, the same group behind the Trivy supply chain attack and the LiteLLM compromise we covered in previous posts. The evidence includes shared obfuscation routines, identical telemetry endpoints, and the same exfiltration patterns.

This group has developed a playbook: compromise CI/CD pipelines of trusted security tools, inject credential-stealing payloads, and use the stolen access to propagate further. They are specifically targeting the tools that developers trust most — password managers, security scanners, and infrastructure-as-code tools.

The pattern is clear and accelerating. Trivy, LiteLLM, Bitwarden, Checkmarx — each attack is more sophisticated than the last, and the dwell times are getting shorter, which suggests the group is optimising for speed rather than stealth.

Why This Matters More Than a Typical Supply Chain Attack

Supply chain attacks are not new. But this coordinated strike highlights three trends that should concern every development team:

1. Security tools are now priority targets

Attackers are deliberately targeting the tools developers use to protect themselves. A compromised password manager or security scanner has implicit trust — developers are less likely to question updates to tools they rely on for security. This creates a perfect social engineering vector without any social engineering required.

2. CI/CD pipelines are the new perimeter

Both attacks entered through CI/CD infrastructure — GitHub Actions in Bitwarden’s case, Docker Hub and extension marketplaces for Checkmarx. Your CI/CD pipeline has access to everything: source code, secrets, deployment credentials, and production environments. It is arguably the most privileged component in your entire infrastructure, yet many teams treat it as a trusted black box.

3. The blast radius is recursive

The Bitwarden payload’s self-propagation capability means a single compromise can cascade through the entire npm ecosystem. One infected maintainer could unknowingly push malicious code to dozens of packages, each with their own dependency trees. The combinatorial explosion is staggering.

What Your Team Should Do Right Now

If you updated either tool during the attack windows, treat your environment as compromised:

Immediate actions

• Rotate all credentials — npm tokens, GitHub tokens, SSH keys, cloud provider credentials (AWS, Azure, GCP)
• Audit your CI/CD logs — look for unexpected package installations or version changes during the attack window
• Block known indicators — add checkmarx.cx (91.195.240.123) and audit.checkmarx.cx (94.154.172.43) to your blocklists
• Pin safe versions — Bitwarden CLI pre-2026.4.0, KICS v2.1.20, ast-github-action v2.3.36
• Check for unexpected GitHub repos — the malware created public repositories to exfiltrate stolen data

Longer-term hardening

• Pin dependencies by SHA, not version — version tags can be overwritten; content hashes cannot
• Implement artifact verification — use Sigstore, npm provenance attestations, or Docker Content Trust to verify the authenticity of packages and images before installation
• Isolate CI/CD credentials — apply least-privilege principles to your pipeline secrets. No single GitHub Action should have access to both your npm publish token and your cloud deployment credentials
• Monitor for anomalous dependency updates — tools like Socket, Snyk, and Renovate can flag unexpected version bumps in critical dependencies
• Treat your IDE as an attack surface — VSCode extensions run with full local privileges. Audit your extensions regularly and disable automatic updates for security-critical tools

The Uncomfortable Truth

The developer security ecosystem has a trust problem. We tell teams to use password managers, run security scanners, and automate their pipelines — and those are exactly the tools being weaponised against them.

The answer is not to stop using these tools. It is to stop trusting them implicitly. Every dependency — including and especially your security dependencies — needs verification, pinning, and monitoring. Defence in depth is not just a network security concept; it applies to your entire software supply chain.

At REPTILEHAUS, we help development teams build CI/CD pipelines and DevSecOps workflows that are hardened against exactly these kinds of attacks. From artifact verification to pipeline isolation to dependency monitoring, supply chain security is not an afterthought — it is baked into every project we deliver. If your team needs help auditing your pipeline security or implementing supply chain hardening, get in touch.

📷 Photo by Dexter Fernandes on Unsplash