top of page

Checkmarx and Bitwarden CLI Supply Chain Compromise Deploys Credential-Stealing Malware Across Developer Environments

April 29th, 2026

Critical

Our Cyber Threat Intelligence Unit is monitoring an active software supply chain campaign that compromised official Checkmarx artifacts, including Docker images for the KICS scanner, VS Code extensions, and the Bitwarden CLI npm package. Malicious code was injected into these channels to steal developer and cloud credentials, exfiltrate sensitive data, and spread through CI/CD pipelines and the npm ecosystem. The campaign is linked to the suspected threat actor TeamPCP, which was previously associated with supply chain attacks on LiteLLM and Trivy. Organizations that used affected artifacts during the compromise window should consider all exposed secrets compromised and take immediate remediation steps. 

Technical Details

  • Threat Type: Software Supply Chain Compromise

  • Severity: Critical

  • Affected Platforms: npm, Docker Hub, Open VSX / VS Code Marketplace, GitHub Actions CI/CD pipelines

  • Affected Components: Checkmarx KICS Docker images (v2.1.20, v2.1.21, alpine, debian, latest), Checkmarx VS Code extensions (cx-dev-assist 1.17.0 / 1.19.0, ast-results 2.63.0 / 2.66.0), Bitwarden CLI (@bitwarden/[email protected])

  • Attack Chain (Checkmarx KICS and VS Code Extensions):

    • Attackers gained access to Checkmarx's GitHub repository and Docker Hub registry, overwriting existing KICS image tags with trojanized builds and introducing a new v2.1.21 tag with no corresponding upstream release.

      • The bundled KICS binary was replaced with a modified Golang executable that retains scanner functionality while adding credential collection and exfiltration capabilities.

    • In parallel, a backdated orphaned commit was injected into the Checkmarx/ast-vscode-extension repository, introducing a large (~10 MB) obfuscated JavaScript file (mcpAddon.js).

      • Compromised VS Code extension versions activate a hidden feature on load that fetches and executes mcpAddon.js using the Bun JavaScript runtime, writing the payload to ~/.checkmarx/mcp/mcpAddon.js.

  • Attack Chain (Bitwarden CLI):

    • A Bitwarden engineer's GitHub account was compromised. The attacker created a malicious branch in the bitwarden/clients repository, uploaded a prebuilt trojanized tarball, and altered the publish-cli.yml workflow to exchange a GitHub Actions OIDC token for an npm authentication token.

    • This allowed the attacker to publish the malicious package as @bitwarden/[email protected]. The attacker then deleted all related workflow runs, the branch, and the release tag.

    • The compromised package includes a preinstall hook (bw_setup.js) that downloads the Bun JavaScript runtime and silently executes the primary credential stealer (bw1.js, 9.7 MB).

      • Bun is used in place of Node.js as a deliberate evasion technique, bypassing EDR and SIEM detections tuned to flag suspicious node child processes during package installation.

      • The underlying Bitwarden CLI functionality is preserved so victims receive a working bw command with no visible errors.

    • This incident marks the first confirmed supply chain attack exploiting npm's OIDC Trusted Publishing mechanism as a publishing channel.

  • Post-Exploitation Behavior (Common to Both Sub-Campaigns):

    • Credential Harvesting: Both payloads collect GitHub and npm tokens, SSH keys, AWS and GCP credentials, Azure authentication tokens, shell history, environment variables, .env files, and AI coding tool configurations, including Claude Code (~/.claude.json), Kiro MCP settings, Cursor, Codex CLI, and Aider.

      • Any API keys stored in AI assistant contexts on affected systems should be considered compromised.

    • Exfiltration: Collected data is encrypted with AES-256-GCM and transmitted to https://audit.checkmarx[.]cx/v1/telemetry (94[.]154[.]172[.]43), an attacker-controlled domain designed to impersonate Checkmarx's legitimate infrastructure.

      • If the primary C2 is blocked, the malware falls back to creating encrypted staging repositories under the victim's own GitHub account, using a recognizable Dune universe naming pattern (<word>-<word>-<3 digits>), and supports signed domain rotation via an embedded RSA public key.

    • GitHub Actions Workflow Injection: Using stolen GitHub tokens, the malware injects a malicious workflow (.github/workflows/format-check.yml) into accessible repositories, serializing all configured secrets into a downloadable artifact (format-results.txt), then deletes the branch and run to reduce forensic visibility.

    • npm Propagation: Stolen npm tokens are used to identify publishable packages and republish them with injected preinstall hooks, allowing for lateral spread across the npm ecosystem.

    • Persistence (Bitwarden variant): bw1.js injects itself into ~/.bashrc and ~/.zshrc. A lock file (/tmp/tmp.987654321.lock) prevents multiple simultaneous instances.

      • The payload also exits silently if the system locale begins with ru.

Image by ThisisEngineering

Impact

  • Credential Theft: Developer and cloud credentials are harvested across GitHub, npm, AWS, GCP, Azure, SSH, and AI tool contexts, exposing organizations to broad infrastructure compromise.

  • CI/CD Pipeline Compromise: GitHub Actions workflow injection allows attackers to extract pipeline secrets across all repositories accessible to a compromised token.

  • Supply Chain Propagation: Abusing stolen npm publish credentials, the malware can republish malicious packages to downstream consumers in the npm ecosystem.

  • Persistent Access: Shell profile modifications on affected developer workstations allow the attacker to maintain access beyond the initial compromise.

  • IaC Scan Exposure: Organizations that used affected KICS images to scan Terraform, CloudFormation, or Kubernetes configurations should treat any secrets present in those scans as potentially exfiltrated.

Detection Method

Security teams should monitor for the following behavioral indicators:

  • Package and File System: Presence of bw_setup.js or bw1.js under node_modules/@bitwarden/cli/; @bitwarden/[email protected] in dependency trees; the file ~/.checkmarx/mcp/mcpAddon.js on developer workstations; lock file /tmp/tmp.987654321.lock; unexpected modifications to ~/.bashrc or ~/.zshrc

  • Process and Runtime: Unexpected execution of the Bun JavaScript runtime (bun process) during npm package installation; gh auth token, gcloud config config-helper, az account get-access-token, or azd auth token spawned by atypical parent processes

  • Network: Outbound connections to audit.checkmarx[.]cx or 94[.]154[.]172[.]43; anomalous api.github.com traffic during CI/CD install steps, which may indicate GitHub-based fallback C2 activity

  • GitHub: Unexpected branch creation or workflow files under .github/workflows/ on transient branches; format-results.txt workflow artifacts; newly created public repositories matching the pattern <word>-<word>-<3 digits> with descriptions "Checkmarx Configuration Storage" or "Shai-Hulud: The Third Coming"

  • npm: Unauthorized version changes, newly added install hooks, or unexpected publish activity on packages accessible to affected credentials

Indicators of Compromise

Type 

Indicator 

npm Package 

@bitwarden/[email protected] 

VS Code Extension 

checkmarx/[email protected] 

VS Code Extension 

checkmarx/[email protected] 

VS Code Extension 

checkmarx/[email protected] 

VS Code Extension 

checkmarx/[email protected] 

IP Address 

94[.]154[.]172[.]43 

URL 

https://audit.checkmarx[.]cx/v1/telemetry 

SHA-256 

24680027afadea90c7c713821e214b15cb6c922e67ac01109fb1edb3ee4741d9 

SHA-256 

2a6a35f06118ff7d61bfd36a5788557b695095e7c9a609b4a01956883f146f50 

SHA-256 

18f784b3bc9a0bcdcb1a8d7f51bc5f54323fc40cbd874119354ab609bef6e4cb 

SHA-256 

8605e365edf11160aad517c7d79a3b26b62290e5072ef97b102a01ddbb343f14 

Docker Digest 

sha256:2588a44890263a8185bd5d9fadb6bc9220b60245dbcbc4da35e1b62a6f8c230d 

Docker Digest 

sha256:222e6bfed0f3bb1937bf5e719a2342871ccd683ff1c0cb967c8e31ea58beaf7b 

Docker Digest 

sha256:a0d9366f6f0166dcbf92fcdc98e1a03d2e6210e8d7e8573f74d50849130651a0 

File Path 

~/.checkmarx/mcp/mcpAddon.js 

File Path 

/tmp/tmp.987654321.lock 

 

Docker digests represent compromised KICS index manifests for alpine/v2.1.20/v2.1.21, debian/v2.1.20-debian/v2.1.21-debian, and latest tag groups respectively. Affected tags may have been restored following disclosure — verify current digests against official Checkmarx release channels. 

 

mix of red, purple, orange, blue bubble shape waves horizontal for cybersecurity and netwo

Recommendations

Organizations should take the following actions to reduce risk:

  • Remove all affected Checkmarx VS Code extensions and KICS Docker images from developer workstations and CI/CD environments; downgrade @bitwarden/cli to 2026.3.0 or earlier using npm install @bitwarden/[email protected] --ignore-scripts

  • Rotate all credentials that may have been present in affected environments, including GitHub tokens, npm tokens, SSH keys, AWS/GCP/Azure credentials, CI/CD secrets, and AI tool API keys stored in ~/.claude.json or MCP configuration files

  • Audit GitHub for unauthorized branch creation, unexpected workflow files, artifact downloads, and public repositories matching the observed Dune-themed staging pattern; delete any identified malicious content

  • Audit npm packages accessible to affected credentials for unauthorized version changes or newly added install hooks; review downstream projects that may have consumed republished packages

  • Implement --ignore-scripts as a standing policy for npm installations in CI/CD environments to prevent preinstall and postinstall hooks from executing in automated builds

  • Enforce environment-level approval gates on workflows that publish to package registries, including those using OIDC Trusted Publishing, and restrict GitHub Actions token permissions to the minimum required scope

  • Block connections to audit.checkmarx[.]cx and 94[.]154[.]172[.]43; note that blocking the primary C2 endpoint alone is insufficient due to GitHub API-based fallback exfiltration channels.

    • Full egress lockdown in CI/CD runners is the recommended defense-in-depth control

  • Pin dependencies to exact, verified versions and implement continuous monitoring of package registries for unexpected publishes or version changes in dependencies your organization relies on

  • Implement multi-factor authentication on all accounts with access to code repositories, package registries, and CI/CD systems

Conclusion

This campaign represents a significant increase in the sophistication of supply chain attacks. The suspected TeamPCP actor compromised multiple trusted developer tools on Docker Hub, npm, and the VS Code extension marketplace simultaneously. By abusing GitHub Actions OIDC Trusted Publishing and using evasive methods such as Bun runtime execution and backdated commit injection, the attacker gained broad access to developer credentials and CI/CD pipeline secrets. The specific targeting of AI coding tool configurations signals a notable expansion of typical npm stealer tactics. We urge organizations to immediately rotate credentials and strengthen supply chain defenses, including egress lockdown in CI/CD runners and continuous monitoring of registries, to reduce exposure to these evolving threats.

bottom of page