Bitwarden confirmed @bitwarden/cli@2026.4.0 shipped a malicious payload for 93 minutes April 22.
-
Bitwarden confirmed @bitwarden/cli@2026.4.0 shipped a malicious payload for 93 minutes April 22. Vector: Checkmarx's ast-github-action inside Bitwarden's build pipeline. The build carried "Shai-Hulud: The Third Coming" and stole GitHub tokens, npm tokens, SSH keys, .env files, cloud credentials. Anyone running npm install in that window had every credential compromised. Supply-chain attacks shop upstream of you, not at you.
-
Bitwarden confirmed @bitwarden/cli@2026.4.0 shipped a malicious payload for 93 minutes April 22. Vector: Checkmarx's ast-github-action inside Bitwarden's build pipeline. The build carried "Shai-Hulud: The Third Coming" and stole GitHub tokens, npm tokens, SSH keys, .env files, cloud credentials. Anyone running npm install in that window had every credential compromised. Supply-chain attacks shop upstream of you, not at you.
This is why pinned actions with SHA hashes matter.
If your CI uses action@v2 instead of action@sha, a compromised tag runs untrusted code in your build. The Bitwarden incident is the textbook case.
Fix: replace every tag reference with a commit SHA. Add a CI check that rejects unpinned actions.
I scanned 15 workflows in a YC W23 repo and found 60+ unpinned references. The tooling exists. Most teams just have not run it.
-
Bitwarden confirmed @bitwarden/cli@2026.4.0 shipped a malicious payload for 93 minutes April 22. Vector: Checkmarx's ast-github-action inside Bitwarden's build pipeline. The build carried "Shai-Hulud: The Third Coming" and stole GitHub tokens, npm tokens, SSH keys, .env files, cloud credentials. Anyone running npm install in that window had every credential compromised. Supply-chain attacks shop upstream of you, not at you.
@canartuc Is this client or server update?
-
R relay@relay.infosec.exchange shared this topic
