https://feed.craftedsignal.io/vendors/bitwarden/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioMon, 04 May 2026 11:28:56 +0000https://feed.craftedsignal.io/briefs/2026-05-bitwarden-cli-compromise/Mon, 04 May 2026 11:28:56 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-bitwarden-cli-compromise/A remote attacker can exploit a compromised Bitwarden CLI npm package to steal credentials and exfiltrate sensitive information.A compromised Bitwarden CLI npm package allows a remote, anonymous attacker to steal credentials and exfiltrate sensitive information. The specific version of the compromised package is not detailed in the advisory. This supply chain attack targets developers and users who rely on the Bitwarden CLI for managing their passwords and secrets. This attack has the potential to expose sensitive credentials, leading to unauthorized access to systems and data. Defenders need to monitor for unusual activity related to the Bitwarden CLI and its usage within their environments to mitigate this risk.

Attack Chain

1. Attacker compromises a Bitwarden CLI npm package through techniques such as typosquatting, account compromise, or dependency confusion.
2. Unsuspecting developers or users download and install the compromised package from the npm registry.
3. During installation, the malicious package executes malicious code injected by the attacker.
4. The malicious code collects Bitwarden credentials and other sensitive information stored in the CLI’s configuration.
5. The compromised package establishes a covert communication channel (e.g., HTTPS) to an attacker-controlled server.
6. Stolen credentials and sensitive information are exfiltrated to the attacker’s server.
7. The attacker uses the stolen credentials to access victim’s Bitwarden vaults or other systems.
8. The attacker may further escalate privileges and compromise additional systems within the victim’s environment using the stolen credentials.

Impact

Successful exploitation leads to the theft of sensitive credentials and information stored within Bitwarden CLI. The number of victims is currently unknown. Organizations using the compromised package could experience unauthorized access to critical systems, data breaches, and potential financial losses. The targeted sectors are broad, encompassing any organization utilizing the Bitwarden CLI for password management and secret storage.

Recommendation

• Monitor npm package installations for unusual activity or unexpected dependencies using process creation logs and file integrity monitoring.
• Implement strict code review processes for all third-party dependencies, especially those related to security tools like Bitwarden CLI.
• Deploy the Sigma rule detecting suspicious network connections from the Bitwarden CLI executable to identify potential data exfiltration.
• Enforce multi-factor authentication (MFA) on Bitwarden accounts to mitigate the impact of credential theft.
• Regularly audit and review the permissions and access rights associated with Bitwarden CLI credentials.

]]>criticaladvisorysupply-chaincredential-theftexfiltrationnpmhttps://feed.craftedsignal.io/briefs/2026-05-npm-supply-chain/Sat, 02 May 2026 00:10:33 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-npm-supply-chain/Threat actors are compromising npm packages, including those targeting SAP developers, to steal credentials, embed themselves in CI/CD pipelines, and deploy multi-stage payloads using techniques like wormable propagation and covert C2 channels on GitHub.The npm ecosystem is experiencing a surge in sophisticated supply chain attacks following the Shai-Hulud worm in September 2025. Attackers, including TeamPCP, are actively compromising npm packages to gain access to sensitive information and establish persistence within CI/CD pipelines. The attacks have evolved to include wormable propagation, infrastructure-level persistence, and multi-stage payloads designed to evade detection. In April 2026, two campaigns were observed: one included the string “Shai-Hulud: The Third Coming,” and the other, dubbed “Mini Shai-Hulud,” targeted the SAP developer ecosystem. The compromised packages are often part of SAP’s Cloud Application Programming (CAP) Model and multitarget application (MTA) build toolchain, increasing the likelihood of impacting enterprise developers and CI/CD pipelines with access to cloud credentials and GitHub tokens.

Attack Chain

1. Initial Compromise: Attackers compromise legitimate npm packages, such as @cap-js/sqlite, @cap-js/postgres, @cap-js/db-service, and mbt, by injecting malicious code.
2. Malicious Code Injection: Compromised packages receive two new files: setup.mjs and execution.js, along with a modified package.json containing a “preinstall” hook.
3. Execution of setup.mjs: During the npm install process, the preinstall hook executes setup.mjs, which detects the host OS and architecture.
4. Bun Runtime Download and Execution: setup.mjs downloads the Bun JavaScript runtime (v1.3.13) from GitHub releases and extracts it to a temporary directory.
5. Execution of execution.js: The Bun runtime executes execution.js, a large (11.7 MB) obfuscated credential stealer and propagation framework.
6. Credential Harvesting: execution.js harvests GitHub tokens, npm tokens, environment variables, GitHub Actions secrets, AWS STS identity, Azure Key Vault secrets, GCP Secret Manager values, and Kubernetes service account tokens. It also targets Claude and MCP configuration files and Electrum wallets.
7. Data Exfiltration: The collected data is compressed, encrypted, and exfiltrated to freshly created public GitHub repositories with randomized names and descriptions.
8. Propagation: The malware searches for commits containing the keyword “OhNoWhatsGoingOnWithGitHub,” decodes matching commit messages as a token dead-drop, recovers stolen GitHub tokens, and uses them to spread the malware to other packages.

Impact

Compromised npm packages can lead to the theft of sensitive credentials, including cloud provider credentials, GitHub tokens, and CI/CD secrets. Successful attacks can result in unauthorized access to cloud infrastructure, code repositories, and deployment pipelines. The Mini Shai-Hulud campaign targeted packages with approximately 570,000 weekly downloads, potentially impacting a large number of SAP developers and enterprise environments. The attackers use stolen credentials to further propagate the malware, increasing the scale and scope of the compromise.

Recommendation

• Rotate npm tokens and GitHub Personal Access Tokens (PATs) immediately if any affected packages were installed (refer to the list of affected packages in the IOC table).
• Monitor npm install processes for unexpected execution of node setup.mjs (see Attack Chain).
• Implement the Sigma rule “Detect Suspicious Bun Process Execution” to identify potential execution of the Bun runtime from temporary directories.
• Monitor network connections for unusual processes connecting to api.github[.]com/search/commits?q=OhNoWhatsGoingOnWithGitHub (see IOCs) to detect potential C2 activity.
• Deploy the Sigma rule “Detect Github Commit By Claude Email” to identify commits authored with the email claude@users.noreply.github.com to detect malicious commits.

]]>highthreatnpmsupply-chaincredential-theftgithub