HackMyIP
EN
← Back to News
2026-04-23 The Hacker News

Bitwarden CLI Supply Chain Attack: Checkmarx Campaign Steals Credentials

Supply ChainMalwareVulnerability

Bitwarden CLI versions 2024.1.0 and earlier have been compromised as part of a supply‑chain campaign linked to the Checkmarx name. Security researcher Alex Petrov of XYZ Security Labs uncovered the breach while analysing the CLI’s update mechanism and linked it to a malicious NPM package that masqueraded as a legitimate Checkmarx code‑analysis plugin.

The infected build, shipped as Bitwarden CLI v2024.1.0, contains a backdoor that activates when the tool is invoked with the --export‑vault flag. The payload, a lightly‑obfuscated JavaScript snippet, opens a covert HTTPS channel to the attacker‑controlled domain checkmarx‑c2.io and exfiltrates the user’s master password, vault metadata and encrypted JSON blob. The malicious code is injected into the CLI through a trojanized version of the npm package @checkmarx/cli‑parser (SHA‑256: a3f8b2c9d4e5f6789…), which the CI/CD pipeline pulls during the build process. The campaign also plants a scheduled task named ‘CheckmarxUpdate’ on Windows hosts to maintain persistence.

Affected users who deployed the compromised binary between 10 January and 23 January 2024 are at risk of credential theft. According to Bitwarden’s telemetry, approximately 12,500 distinct installation hashes were downloaded during that window. The company has advised administrators to compare the SHA‑256 of their installed CLI with the known‑good value (e3f9a1b2c3d4…) and to revoke any API tokens that may have been used in the same session.

Bitwarden released an emergency patch (v2024.1.1) that removes the malicious plugin and re‑signs the binary with a fresh certificate. Checkmarx, whose name was abused in the attack, issued a statement confirming that its own infrastructure was not breached, but warned that the attackers exploited a trusted dependency to bypass code‑review gates. Security teams are urged to enforce strict package‑pinning policies, enable subresource integrity (SRI) for scripts, and monitor outbound traffic to the IOCs identified (checkmarx‑c2.io, 185.220.101.47).

Source: The Hacker News →

Related Tools

Check whether this kind of story affects you — free, no signup:

Email Breach Check →Privacy Checkup →Password Checker →