Bitwarden CLI Compromised in Ongoing Checkmarx Supply Chain Campaign

Socket researchers discovered that the Bitwarden CLI was compromised as part of the ongoing Checkmarx supply chain campaign. The affected package version appears to be @bitwarden/cli2026.4.0, and the malicious code was published in bw1.js, a file included in the package contents. The attack appears to have leveraged a compromised GitHub Action in Bitwarden’s CI/CD pipeline, consistent with the pattern seen across other affected repositories in this campaign.What we know so far:Bitwarden CLI builds were affectedThe compromise follows the same GitHub Actions supply chain vector identified in the broader Checkmarx campaignThis is an ongoing investigation. Socket's security research team is conducting a full technical analysis and will publish detailed findings, including affected versions, indicators of compromise, and remediation guidance.If you use Bitwarden CLI, we recommend reviewing your CI logs and rotating any secrets that may have been exposed to the compromised workflow.