Back to Intelligence

Bitwarden CLI npm Compromise: Detecting Malicious @bitwarden/cli Packages (v2024.8.0, v2024.7.1)

SA
Security Arsenal Team
April 24, 2026
5 min read

The software supply chain was struck again when attackers compromised the official Bitwarden CLI npm package, @bitwarden/cli. By publishing malicious versions 2024.8.0 and 2024.7.1, threat actors introduced a credential-stealing payload into the development environments of unsuspecting users. This is not a theoretical risk; the package was live and actively distributed. For developers and DevOps teams, the risk is immediate: the malicious code targets .npmrc, .env, and AWS credential files, exfiltrating them to a command-and-control (C2) server. Defenders must act now to identify compromised nodes and purge the malicious binaries.

Technical Analysis

  • Affected Products: @bitwarden/cli npm package.

  • Affected Versions: 2024.8.0 and 2024.7.1.

  • Platform: Node.js environments (Linux, macOS, Windows) running npm install.

  • Attack Vector: Supply Chain Compromise (Package Tampering).

  • Mechanism: The malicious versions contain obfuscated JavaScript designed to execute upon package installation or import. The payload performs the following actions:

    1. Scans for Secrets: It searches the filesystem for sensitive configuration files, specifically targeting .npmrc, .env, ~/.aws/credentials, and ~/.aws/config.
    2. Exfiltration: Identified credentials are sent via HTTP POST to a hard-coded IP address associated with the threat actors (20.2.68.4).
    3. Propagation (Capability): The code includes logic capable of spreading to other projects, potentially allowing the compromise to move laterally across linked dependencies or workspaces.

  • Exploitation Status: Confirmed Active. The malicious packages were published and available for download before being revoked by the npm registry and the Bitwarden team.

Detection & Response

The following detection rules and queries are designed to identify the installation of these specific versions and the network activity associated with the exfiltration of stolen data.

Sigma Rules

YAML
---
title: Bitwarden CLI - Malicious Package Installation
id: 9b2f8e12-4c5a-4f3d-8b1a-9c3d4e5f6a7b
status: experimental
description: Detects the installation of known malicious versions of the Bitwarden CLI npm package via npm process execution.
references:
  - https://www.bleepingcomputer.com/news/security/bitwarden-cli-npm-package-compromised-to-steal-developer-credentials/
author: Security Arsenal
date: 2024/10/09
tags:
  - attack.initial_access
  - attack.t1195.002
logsource:
  category: process_creation
  product: linux # Applicable to Windows/macOS via node.exe as well
detection:
  selection:
    Image|endswith:
      - '/npm'
      - '/npm.cmd'
      - '/node'
    CommandLine|contains: '@bitwarden/cli'
    CommandLine|contains:
      - '2024.8.0'
      - '2024.7.1'
  condition: selection
falsepositives:
  - Legitimate installation of specific versions (unlikely given these are now marked malicious)
level: critical
---
title: Bitwarden CLI - C2 Traffic Detection
id: a1b2c3d4-5e6f-7a8b-9c0d-1e2f3a4b5c6d
status: experimental
description: Detects outbound network connections to the known C2 IP address associated with the Bitwarden CLI compromise.
references:
  - https://www.bleepingcomputer.com/news/security/bitwarden-cli-npm-package-compromised-to-steal-developer-credentials/
author: Security Arsenal
date: 2024/10/09
tags:
  - attack.exfiltration
  - attack.t1041
logsource:
  category: network_connection
  product: linux
detection:
  selection:
    DestinationIp|startswith: '20.2.68.4'
  condition: selection
falsepositives:
  - Unknown (IP is specific to this campaign)
level: critical

KQL (Microsoft Sentinel / Defender)

This query hunts for process execution events where npm is invoked to install the specific malicious versions. It also correlates with network connections to the attacker's IP.

KQL — Microsoft Sentinel / Defender
// Hunt for malicious npm installations
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine has "@bitwarden/cli"
| where ProcessCommandLine has_any ("2024.8.0", "2024.7.1")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName
| extend IOCS = "Malicious NPM Version"
| union (
    DeviceNetworkEvents
    | where Timestamp > ago(7d)
    | where RemoteIP startswith "20.2.68.4"
    | project Timestamp, DeviceName, RemoteIP, RemoteUrl, InitiatingProcessFileName
    | extend IOCS = "Bitwarden CLI C2 Traffic", ProcessCommandLine = "Network Exfil"
)

Velociraptor VQL

This VQL artifact hunts for package-lock. files that contain references to the malicious Bitwarden CLI versions. This is effective for finding compromised projects even if the install logs have rotated.

VQL — Velociraptor
-- Hunt for malicious Bitwarden CLI versions in package-lock.
SELECT FullPath, Mtime, Size
FROM glob(globs="**/package-lock.")
WHERE read_file(filename=FullPath)
   =~ '.*"@bitwarden/cli".*"version":\s*"(2024\.8\.0|2024\.7\.1)".*'

Remediation Script (Bash)

Use this script to scan local projects for the presence of the malicious package versions and remove them. Run this in your project root directories or CI/CD pipelines.

Bash / Shell
#!/bin/bash

# Remediation Script for Bitwarden CLI npm Compromise
# Targets versions 2024.8.0 and 2024.7.1

echo "[*] Scanning for malicious @bitwarden/cli versions..."

MALICIOUS_VERSIONS=("2024.8.0" "2024.7.1")
COMPROMISED=false

# Check if node_modules exists
if [ -d "node_modules/@bitwarden/cli" ]; then
    INSTALLED_VERSION=$(cat node_modules/@bitwarden/cli/package. | grep '"version"' | head -n 1 | awk -F: '{print $2}' | tr -d '" ,')
    
    if [[ " ${MALICIOUS_VERSIONS[@]} " =~ " ${INSTALLED_VERSION} " ]]; then
        echo "[!] ALERT: Malicious version ${INSTALLED_VERSION} detected."
        COMPROMISED=true
        echo "[*] Uninstalling malicious package..."
        npm uninstall @bitwarden/cli
        echo "[*] Reinstalling latest safe version..."
        npm install @bitwarden/cli@latest
    else
        echo "[+] Safe version ${INSTALLED_VERSION} detected."
    fi
else
    echo "[INFO] @bitwarden/cli not found in current project."
fi

if [ "$COMPROMISED" = true ]; then
    echo "[!] ACTION REQUIRED: Rotate all credentials found in .env, ~/.aws/, and .npmrc immediately."
fi

Remediation

  1. Identify and Replace: Immediately audit all environments where @bitwarden/cli is utilized. If versions 2024.8.0 or 2024.7.1 are found, they must be removed.
  2. Update Package: Upgrade to the latest verified version of the Bitwarden CLI. Run npm install @bitwarden/cli@latest to ensure you are pulling a clean package from the registry.
  3. Credential Rotation: This is critical. If you executed the compromised binary, assume your environment variables (.env), AWS credentials (~/.aws/), and npm tokens (.npmrc) were exfiltrated. Rotate all secrets and API keys associated with the affected development environment.
  4. Audit Supply Chain: Review package-lock. files to ensure no residual references to the malicious versions exist. If using CI/CD pipelines, clear any cached layers or artifacts that might contain the malicious package.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

sigma-rulekql-detectionthreat-huntingdetection-engineeringsiem-detectionbitwardennpmsupply-chain

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action