Bitwarden CLI Is the Next Compromise In Checkmarx Supply Chain Campaign
(Friday April 24, 2026 @05:00PM (BeauHD)
from the latest-victim dept.)
- Reference: 0182445254
- News link: https://it.slashdot.org/story/26/04/24/2032218/bitwarden-cli-is-the-next-compromise-in-checkmarx-supply-chain-campaign
- Source link:
Longtime Slashdot reader [1]Himmy32 writes:
> Socket Security [2]published an article on the compromise of the Bitwarden CLI client, which was pushed from Bitwarden's client repository. This breach was the next in a chain of supply-chain attacks that have [3]affected Checkmarx KICS and [4]Aqua Security's Trivy scanners .
>
> The breach was quickly detected and [5]reported by JFrog on the GitHub repository; JFrog also provided [6]a technical write-up . The Bitwarden team has released statements on [7]a blog post indicating that the compromise did not affect vault or customer data. Only 334 downloads of the affected CLI client were downloaded before removal and remediation.
[1] https://slashdot.org/~Himmy32
[2] https://socket.dev/blog/bitwarden-cli-compromised
[3] https://thehackernews.com/2026/04/malicious-kics-docker-images-and-vs.html
[4] https://arstechnica.com/security/2026/03/widely-used-trivy-scanner-compromised-in-ongoing-supply-chain-attack/
[5] https://github.com/bitwarden/clients/issues/20353#issue-4315816376
[6] https://research.jfrog.com/post/bitwarden-cli-hijack/
[7] https://community.bitwarden.com/t/bitwarden-statement-on-checkmarx-supply-chain-incident/96127
> Socket Security [2]published an article on the compromise of the Bitwarden CLI client, which was pushed from Bitwarden's client repository. This breach was the next in a chain of supply-chain attacks that have [3]affected Checkmarx KICS and [4]Aqua Security's Trivy scanners .
>
> The breach was quickly detected and [5]reported by JFrog on the GitHub repository; JFrog also provided [6]a technical write-up . The Bitwarden team has released statements on [7]a blog post indicating that the compromise did not affect vault or customer data. Only 334 downloads of the affected CLI client were downloaded before removal and remediation.
[1] https://slashdot.org/~Himmy32
[2] https://socket.dev/blog/bitwarden-cli-compromised
[3] https://thehackernews.com/2026/04/malicious-kics-docker-images-and-vs.html
[4] https://arstechnica.com/security/2026/03/widely-used-trivy-scanner-compromised-in-ongoing-supply-chain-attack/
[5] https://github.com/bitwarden/clients/issues/20353#issue-4315816376
[6] https://research.jfrog.com/post/bitwarden-cli-hijack/
[7] https://community.bitwarden.com/t/bitwarden-statement-on-checkmarx-supply-chain-incident/96127
"only 334" (Score:1)
So "only" 334 people/companies have had their data stolen through this exploit?
Somehow that doesn't that make me feel all that much better...
Re: (Score:2)
> the compromise did not affect vault or customer data
from the article - "This targeting is unusually specific. In addition to standard developer secrets such as .npmrc and .git-credentials, the malware also hunts for AI tool configuration and MCP-related files, suggesting deliberate interest in environments where coding assistants or local automation tools may expose API keys or workflow secrets."