The Checkmarx supply chain campaign has reached Bitwarden. Researchers from JFrog and Socket detected malicious code in version @bitwarden/cli@2026.4.0 of the password manager. The bw1.js file contains the malicious payload, exploiting vulnerabilities in the distribution process. Users are urged to verify their installations and migrate to a secure version to reduce risks.
Technical details of the malicious code in bw1.js 🛡️
The attack inserted an obfuscated script inside the Bitwarden CLI npm package, specifically in bw1.js. This code, when executed, could exfiltrate locally stored credentials and access tokens. The technique exploits trust in the npm ecosystem, where developers download packages without verifying their integrity. The compromised version, 2026.4.0, was distributed for a brief period before being detected. Researchers recommend auditing installation logs and using checksums to confirm software authenticity.
Your password manager now also manages risks 😅
Because nothing says trust like finding out your password manager, the one that holds your bank and Netflix keys, now also stores malicious code. Bitwarden, the tool that promised to keep your data safe, has become the mailman delivering package bombs. The worst part is that the malware slipped in through the back door of npm, the same place where everyone downloads their dependencies like shopping at a flea market. At least the attackers had the decency to label their product well: 2026.4.0, a version you'll surely remember.