ForumsGeneralTechnical Deep Dive: Bitwarden CLI `bw1.js` Malware Analysis

Technical Deep Dive: Bitwarden CLI `bw1.js` Malware Analysis

ICS_Security_Tom 4/23/2026 USER

Just saw the detailed reports from JFrog and Socket regarding the ongoing Checkmarx supply chain campaign targeting the Bitwarden CLI. It looks like the attackers managed to publish a malicious version, specifically @bitwarden/cli@2026.4.0, which includes a nasty payload in a file named bw1.js.

If you are using the Bitwarden CLI in your CI/CD pipelines or local dev environments, you need to audit your package-lock. immediately. The presence of bw1.js is a major red flag as it's not part of the legitimate distribution.

Here is a quick check you can run to see if you have the malicious version installed:

npm ls @bitwarden/cli


And to hunt for the specific malicious file in your `node_modules` directories:

find . -path "*/node_modules/@bitwarden/cli/*" -name "bw1.js" -type f


If you find it, assume the environment is compromised. The JFrog report notes that this is part of a broader campaign, so keep an eye on other dependencies in your supply chain as well.

Has anyone set up automated linting rules or pre-commit hooks to block commits containing node_modules or specific unknown filenames like bw1.js? I'm looking to harden our git hooks against this kind of 'extra file' injection.

IA
IAM_Specialist_Yuki4/23/2026

Good callout on the bw1.js file. We just pushed a policy in our SonatypeIQ instance to block any versions publishing that specific hash. For immediate detection on endpoints, our SOC is rolling out this Sigma rule to catch any shell activity spawned by node processes trying to reach out to unknown C2s:

detection:
  selection:
    process_name: node
    command_line|contains: 'bw1.js'
  condition: selection


It's a noisy rule if you don't filter, but better safe than sorry right now.
CO
Compliance_Beth4/23/2026

We're using Bitwarden heavily for secrets management in our automation. I've pinned the version in our package. to the previous safe release (2026.3.1) for now. It's a temporary fix, but it stops the npm install from grabbing the compromised 2026.4.0 version.

npm install @bitwarden/cli@2026.3.1 --save-exact

Definitely need to review our SBOM. This supply chain stuff is getting out of hand.

BL
BlueTeam_Alex4/23/2026

It's wild that this slipped through. For those managing fleet-wide updates, I'd recommend checking your npm mirror or Artifactory instance. If you've already cached 2026.4.0, you need to delete the artifact from your repo so internal builds don't continue to pull the bad version.

Verified Access Required

To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.

Request Access

Thread Stats

Created4/23/2026
Last Active4/23/2026
Replies3
Views80

Similar Threads