Hackers Turned Bitwarden's CLI Into a Credential Stealer—It Also Hunted for Your AI Coding Assistant

What Happened

On April 22, 2026, attackers published a malicious version of Bitwarden's official command line tool to npm. The compromised package, @bitwarden/cli@2026.4.0, was live on npm for approximately 93 minutes between 5:57 PM and 7:30 PM Eastern before Bitwarden removed it.

The package receives roughly 297,000 monthly downloads. Anyone who installed or updated during that window received a payload called Shai-Hulud that silently harvested credentials from their machine, encrypted the stolen data, and exfiltrated it through GitHub repositories created under the victim's own account.

Bitwarden confirmed that no end user vault data was accessed or at risk. The attack targeted developer machines and CI/CD pipelines, not the password vaults that Bitwarden users rely on daily.

What the Malware Stole

The Shai-Hulud payload ran seven parallel collectors that swept through developer environments with surgical precision:

• SSH keys from ~/.ssh
• npm tokens from ~/.npmrc
• AWS credentials from ~/.aws/credentials, plus secrets from AWS Secrets Manager and SSM Parameter Store
• Google Cloud and Azure credentials from their respective config directories
• GitHub authentication tokens and GitHub Actions runner secrets
• Environment variables from .env files and shell history

Stolen data was JSON serialized, gzip compressed, AES-256-GCM encrypted, then RSA wrapped before exfiltration. Even if the exfiltration repositories were seized, the data could not be decrypted without the attacker's private key.

It Hunted for AI Coding Assistants

In an unusual twist, the malware specifically probed for authenticated AI coding tools. It checked whether the developer had Claude Code, Gemini CLI, OpenAI Codex CLI, Kiro, Aider, or OpenCode installed. When it found one, it sent a "Hello" message to confirm the tool was authenticated, then injected hooks into shell configuration files to maintain persistence.

This targeting reveals where attacker priorities are shifting. AI coding assistants run with broad system access, often hold API keys to expensive services, and many developers grant them permission to execute arbitrary code. Compromising an authenticated AI assistant gives an attacker a persistent foothold on a machine that is likely to touch sensitive codebases.

A Self Propagating Supply Chain Worm

The most dangerous capability was self propagation. When the malware found npm tokens with publish permissions, it automatically:

• Enumerated every npm package the victim could modify
• Downloaded each package, injected the Shai-Hulud payload into it
• Bumped the patch version and republished to npm

This turned every compromised developer into an unwitting distribution point. A single infected machine with publish access to popular packages could cascade the malware to thousands of downstream consumers without any further action from the attacker.

How the Attackers Got In

The breach originated from a compromised Checkmarx GitHub Action used in Bitwarden's CI/CD pipeline. Attackers modified a workflow file on a non main branch, staging a prebuilt tarball that was published to npm using GitHub's OIDC token. Because the attack exploited the CI/CD pipeline itself, it bypassed the need for long lived npm secrets.

The threat actor behind the attack, known as TeamPCP, previously compromised the Trivy security scanner and the LiteLLM AI library using the same techniques. Each attack follows the same pattern: compromise a widely trusted developer tool, inject credential stealing malware, and use the stolen credentials to spread further.

What Developers Should Do

If you installed @bitwarden/cli@2026.4.0 during the 93 minute window, treat your machine and every credential on it as compromised:

• Rotate everything. GitHub personal access tokens, npm tokens, SSH keys, and any AWS, Azure, or GCP credentials stored on the machine.
• Check your npm publish logs. If you maintain public packages, verify that no unexpected versions were published using your credentials.
• Inspect shell configuration files. Look for injected blocks in ~/.bashrc and ~/.zshrc that you did not add.
• Search your GitHub account for repositories with Dune themed names (sardaukar, sandworm) or the description "Shai-Hulud: The Third Coming."
• Update to @bitwarden/cli@2026.4.1, the clean version released April 23.

Even if you did not install the malicious version, this is a reminder to pin dependency versions in CI/CD pipelines and audit third party GitHub Actions before granting them write permissions to your package registries.

The Deeper Problem

The irony of a password manager's tool being weaponized to steal passwords is hard to miss. But the real lesson is structural. Modern software development depends on a web of trust: developers trust their CI/CD platform, which trusts its GitHub Actions, which trust the packages they install. TeamPCP has now demonstrated three times that breaking one link in that chain can compromise everything downstream.

Ninety three minutes was enough. The malware was obfuscated behind a 43,000 entry string table and a scrambled cipher, designed to evade automated detection. It killed itself on Russian locale systems, skipped non CI environments, and encrypted its exfiltrated data so thoroughly that even seizing the repositories would not reveal what was stolen. This was not opportunistic. It was engineered.