Back to Intelligence

Bitwarden NPM Package Supply Chain Attack: Detection and Remediation Guide

SA
Security Arsenal Team
April 25, 2026
7 min read

Introduction

Bitwarden, a popular password manager, has been impacted by a supply chain attack targeting its Node Package Manager (npm) package. This attack, linked to threat actor TeamPCP and recently disclosed by Checkmarx, represents a sophisticated supply chain compromise that references the "Shai-Hulud" worm. The incident highlights the growing trend of attacking upstream dependencies rather than direct targets.

Defenders need to act immediately. If your organization uses Bitwarden packages or integrates with Bitwarden via npm dependencies, you may be vulnerable to credential theft or unauthorized access. Supply chain attacks are particularly insidious as they bypass traditional perimeter controls by exploiting trust in legitimate software distribution channels.

Technical Analysis

Affected Products and Platforms

  • Primary Target: Bitwarden npm package (@bitwarden/node)
  • Platform: JavaScript/Node.js environments
  • Environment: Development and production systems utilizing affected npm packages

Threat Actor Profile

  • Attributed Actor: TeamPCP
  • Attack Type: Supply chain compromise via npm repository
  • Associated Malware: Shai-Hulud worm

Attack Chain Analysis

  1. Initial Compromise: Threat actors compromised the Bitwarden npm package or a related dependency
  2. Malicious Injection: Malicious code was injected into the package, potentially in post-install scripts
  3. Package Distribution: The compromised package was published and distributed via the npm registry
  4. Victim Installation: Developers and CI/CD pipelines installed the compromised package
  5. Malicious Execution: Upon installation, the malicious code executed, potentially downloading and executing the Shai-Hulud worm or establishing command and control (C2) channels

Exploitation Status

  • Active Exploitation: Confirmed by Checkmarx research
  • Public PoC: Not publicly disclosed as of this writing
  • CISA KEV: Not yet added to CISA's Known Exploited Vulnerabilities catalog
  • Impact: Potential credential exposure, supply chain propagation, and persistence mechanisms

Detection & Response

SIGMA Rules

YAML
---
title: Suspicious Bitwarden NPM Package Installation
id: 89c3b5d2-4e7a-11ee-be56-0242ac120002
status: experimental
description: Detects installation of potentially compromised Bitwarden npm packages related to TeamPCP supply chain attack
references:
  - https://www.securityweek.com/bitwarden-npm-package-hit-in-supply-chain-attack/
author: Security Arsenal
date: 2023/08/02
tags:
  - attack.initial_access
  - attack.supply_chain
  - attack.t1195.002
logsource:
  category: process_creation
  product: linux
detection:
  selection:
    Image|endswith: '/npm'
    CommandLine|contains:
      - 'install @bitwarden/node'
      - 'install @bitwarden/'
  condition: selection
falsepositives:
  - Legitimate Bitwarden package installation
  - Development environment setup
level: high
---
title: Potential Shai-Hulud Worm Activity Related to TeamPCP
id: 89c3b5d2-4e7a-11ee-be56-0242ac120003
status: experimental
description: Detects suspicious network activity potentially related to Shai-Hulud worm associated with Bitwarden npm supply chain attack
references:
  - https://www.securityweek.com/bitwarden-npm-package-hit-in-supply-chain-attack/
author: Security Arsenal
date: 2023/08/02
tags:
  - attack.command_and_control
  - attack.t1071.004
logsource:
  category: network_connection
  product: linux
detection:
  selection:
    Image|endswith: '/node'
    Initiated: 'true'
  condition: selection
falsepositives:
  - Legitimate Node.js network activity
  - Normal npm package operations
level: medium

Microsoft Sentinel / Defender KQL

KQL — Microsoft Sentinel / Defender
// Hunt for Bitwarden npm package installations
let timeframe = 30d;
DeviceProcessEvents
| where Timestamp >= ago(timeframe)
| where ProcessCommandLine has "npm" 
| where ProcessCommandLine has "install"
| where ProcessCommandLine has "@bitwarden"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName
| order by Timestamp desc
;

// Check for suspicious Node.js network connections post npm installation
let timeframe = 30d;
let npmInstallEvents =
    DeviceProcessEvents
    | where Timestamp >= ago(timeframe)
    | where ProcessCommandLine has "npm" and ProcessCommandLine has "install";
DeviceNetworkEvents
| where Timestamp >= ago(timeframe)
| where InitiatingProcessFileName =~ "node"
| where InitiatingProcessCommandLine has "@bitwarden" or InitiatingProcessCommandLine has "node_modules/.bin"
| join kind=inner (
    npmInstallEvents
) on DeviceId, Timestamp
| project Timestamp, DeviceName, RemoteUrl, RemoteIP, RemotePort, InitiatingProcessCommandLine
| order by Timestamp desc
;

// Check for file modifications in node_modules/bitwarden directories
DeviceFileEvents
| where Timestamp >= ago(timeframe)
| where FilePath has "node_modules"
| where FilePath has "@bitwarden" or FilePath has "bitwarden"
| where ActionType in ("FileCreated", "FileModified")
| project Timestamp, DeviceName, FileName, FilePath, InitiatingProcessAccountName
| order by Timestamp desc

Velociraptor VQL

VQL — Velociraptor
-- Hunt for recently installed Bitwarden npm packages
SELECT * FROM foreach(
  SELECT 
    OSPath,
    Mtime AS ModifiedTime,
    Atime AS AccessedTime,
    Ctime AS ChangedTime,
    Size
  FROM glob(globs=["/root/.npm/@bitwarden/**", "/home/*/.npm/@bitwarden/**", "/usr/local/lib/node_modules/@bitwarden/**"])
  WHERE ModifiedTime < now() - 24h OR ModifiedTime > now() - 24h
)

-- Check for suspicious node processes running from bitwarden packages
SELECT Pid, Ppid, Name, Exe, CommandLine, Username, StartTime
FROM pslist()
WHERE Name =~ "node" AND CommandLine =~ "@bitwarden"

-- Hunt for network connections from node processes
SELECT F.Pid, F.Name, F.Username, F.CommandLine, N.RemoteAddress, N.RemotePort, N.State
FROM pslist() AS F
JOIN foreach(row={
    SELECT Pid, RemoteAddress, RemotePort, State
    FROM netstat()
    WHERE State =~ "ESTABLISHED" 
  }, query={
    SELECT *
    FROM scope()
  }) AS N
ON F.Pid = N.Pid
WHERE F.Name =~ "node" AND F.CommandLine =~ "@bitwarden"

Remediation Script

Bash / Shell
#!/bin/bash
# Bitwarden npm package supply chain remediation script
# Checks for and removes potentially compromised Bitwarden packages

# Colors for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m' # No Color

echo -e "${YELLOW}[+] Starting Bitwarden npm package security check...${NC}"

# Find all projects with Bitwarden dependencies
echo -e "${YELLOW}[+] Scanning for projects with Bitwarden dependencies...${NC}"
PROJECTS=$(find . -name "package." -type f 2>/dev/null)

if [ -z "$PROJECTS" ]; then
    echo -e "${RED}[-] No package. files found.${NC}"
    exit 1
fi

for package_file in $PROJECTS; do
    project_dir=$(dirname "$package_file")
    echo -e "${YELLOW}[+] Checking: $project_dir${NC}"
    
    # Check if package has Bitwarden dependencies
    if grep -q "@bitwarden" "$package_file" 2>/dev/null; then
        echo -e "${RED}[!] Bitwarden dependency found in $package_file${NC}"
        
        # List all Bitwarden dependencies
        echo -e "${YELLOW}[+] Bitwarden packages in use:${NC}"
        grep "@bitwarden" "$package_file"
        
        # Check node_modules directory for installed Bitwarden packages
        if [ -d "$project_dir/node_modules/@bitwarden" ]; then
            echo -e "${RED}[!] Found installed Bitwarden packages in node_modules${NC}"
            ls -la "$project_dir/node_modules/@bitwarden"
            
            # Identify modified timestamps
            echo -e "${YELLOW}[+] Checking for recent modifications...${NC}"
            find "$project_dir/node_modules/@bitwarden" -type f -mtime -7 -ls
        fi
        
        # Create a backup of package. before modification
        cp "$package_file" "$package_file.bak"
        echo -e "${GREEN}[+] Backed up $package_file to $package_file.bak${NC}"
    else
        echo -e "${GREEN}[+] No Bitwarden dependencies found in $package_file${NC}"
    fi
done

echo -e "${YELLOW}[+] Remediation steps:${NC}"
echo -e "${YELLOW}[+] 1. Update Bitwarden packages to latest secure versions:${NC}"
echo -e "    npm update @bitwarden/node @bitwarden/other-components"
echo -e "${YELLOW}[+] 2. If update is not available, remove packages entirely:${NC}"
echo -e "    npm uninstall @bitwarden/node @bitwarden/other-components"
echo -e "${YELLOW}[+] 3. Clear npm cache to prevent reinstallation of compromised versions:${NC}"
echo -e "    npm cache clean --force"
echo -e "${YELLOW}[+] 4. Audit project for vulnerabilities:${NC}"
echo -e "    npm audit"
echo -e "${YELLOW}[+] 5. Review and rotate any credentials that may have been exposed${NC}"

echo -e "${GREEN}[+] Check complete. Please review findings and follow remediation steps.${NC}"

Remediation

Immediate Actions Required

  1. Identify Affected Systems:

    • Review all development and production environments using Bitwarden npm packages
    • Check CI/CD pipelines that may install dependencies

  2. Update to Secure Versions:

    • Monitor the official Bitwarden npm page for patched versions
    • Update to the latest version as soon as patches are available

  3. Remove Compromised Packages: bash

Bash / Shell
   npm uninstall @bitwarden/node
   npm cache clean --force
  1. Reinstall Clean Versions: bash
Bash / Shell
   npm install @bitwarden/node@latest
  1. Credential Rotation:
    • Rotate any Bitwarden credentials that may have been exposed
    • Review access logs for unusual activity
    • Consider resetting master passwords if compromise is suspected

Verification Steps

  1. Check Package Integrity: bash
Bash / Shell
   npm audit
   npm list @bitwarden/node

  1. Monitor for Suspicious Activity:

    • Review logs for unauthorized access attempts
    • Monitor for unexpected network connections from Node.js processes

  2. Conduct Security Review:

    • Implement SLSA (Supply-chain Levels for Software Artifacts) principles
    • Consider implementing dependency lock files and integrity verification

Vendor Advisory

Refer to the official Bitwarden security advisories for the most up-to-date information:

Long-term Protections

  1. Implement Software Composition Analysis (SCA) tools
  2. Set up dependency monitoring for automatic notifications of vulnerability disclosures
  3. Establish security policies for third-party library usage
  4. Implement CI/CD security controls including package scanning before deployment

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub

mdrthreat-huntingendpoint-detectionsecurity-monitoringbitwardennpmsupply-chain-attackteampcp

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action