TL;DR

On 2026-04-22, a malicious @bitwarden/cli v2026.4.0 (the package has ~70K weekly / ~250K monthly downloads) was published to npm and stayed live for ~90 minutes (≈17:57–19:30 ET) before takedown — ~334 downloads of the bad version. Beyond the usual multi-cloud credential harvesting + self-propagating npm worm, this payload shipped a dedicated module that hunts authenticated AI coding assistants — it specifically scrapes AI-tool configuration and MCP-related files (Claude Code, Cursor, Codex CLI). Researchers call it the first documented supply-chain attack that explicitly targets AI coding assistant credentials. Part of the "Shai-Hulud: The Third Coming" campaign attributed to TeamPCP (UNC6780) — the same actor behind the Mini Shai-Hulud wave.

What happened

TeamPCP backdoored @bitwarden/cli as one arm of an ongoing supply-chain campaign that also weaponized Checkmarx distribution channels (the "Shai-Hulud: The Third Coming" wave). The malicious 2026.4.0 was published via a compromised release path and self-described in commit strings as "Shai-Hulud: The Third Coming." Bitwarden confirmed the npm package compromise and stated its investigation found no evidence that end-user vault data, production data, or production systems were accessed — the blast radius is anyone who installed the poisoned CLI, not Bitwarden vault holders.

The payload is a multi-stage stealer-worm with several modules:

  • Multi-cloud credential harvester across six secret surfaces — Azure, AWS, GCP, GitHub, npm tokens — plus SSH material and shell history.
  • AI-tooling collector (novel). A module that specifically targets authenticated AI coding assistants: AI-tool configuration files and MCP-related files (e.g. Claude Code / Cursor / Codex CLI config and credentials). This is the headline first — malware that treats your logged-in AI dev tools as a credential store.
  • Self-propagating npm worm. Re-infects every npm package the victim's token can publish, backdooring them in turn (the Shai-Hulud propagation model).
  • GitHub commit dead-drop C2 with RSA-signed command delivery — commands are fetched from attacker commits and verified by signature, so a takedown of one repo doesn't break control.
  • Authenticated-encryption exfiltration designed to survive repository seizure (stolen data stays confidential even if the staging repo is recovered).
  • Shell RC persistence (writes to .bashrc / .zshrc-style startup files).

This is a sibling of the Nx Console compromise (which scooped ~/.claude/settings.json) and an escalation of the AI-agent → AI-agent supply-chain pattern: the AI dev-tool credential surface is now a first-class objective, not incidental loot.

Am I affected?

You are at risk if @bitwarden/cli@2026.4.0 was installed (directly, via CI, or transitively) during the ~90-minute window on 2026-04-22.

# Lockfile / install check (npm, pnpm, yarn)
grep -rn '"@bitwarden/cli"' package-lock.json pnpm-lock.yaml yarn.lock 2>/dev/null | grep '2026.4.0'
npm ls @bitwarden/cli 2>/dev/null | grep '2026.4.0'

# Globally installed?
npm ls -g @bitwarden/cli 2>/dev/null

# Did the worm read your AI-tool config? Review for unexpected access / modification.
ls -la ~/.claude/ ~/.codex/ ~/.cursor/ 2>/dev/null
grep -RIl . ~/.claude/settings.json ~/.config/claude 2>/dev/null

# Look for shell-RC persistence and dead-drop indicators
tail -n 20 ~/.bashrc ~/.zshrc 2>/dev/null

If 2026.4.0 is/was present: assume every credential reachable from that host is compromised — cloud keys (Azure/AWS/GCP), GitHub + npm tokens, SSH keys — and any API keys / MCP server tokens referenced by your AI-tool configs (Claude Code, Cursor, Codex). Rotate, then check whether your own npm packages were republished by the worm.

IOCs

Type Value
Threat actor TeamPCP (UNC6780) — "Shai-Hulud: The Third Coming"
Malicious package @bitwarden/cli v2026.4.0 (npm)
Live window 2026-04-22, ≈17:57–19:30 ET (~90 min)
Downloads of bad version ~334
Targets Azure/AWS/GCP, GitHub + npm tokens, SSH, shell history, AI-tool config + MCP files
C2 GitHub commit dead-drop, RSA-signed command delivery
Persistence shell RC files; npm worm republish of victim-publishable packages
Campaign siblings Trivy (Mar), Checkmarx KICS / Jenkins AST Plugin, Mini Shai-Hulud / TanStack

If you are affected

playbooks/if-you-installed-a-bad-npm-package.mdplaybooks/if-your-npm-token-leaked.md — especially: check whether the worm republished your packages. → playbooks/if-your-github-pat-leaked.mdplaybooks/rotating-cloud-credentials.mdplaybooks/if-an-mcp-server-was-malicious.md — closest analogue for "my AI tool's credentials were harvested." Rotate every model API key and MCP server token referenced by ~/.claude, ~/.codex, ~/.cursor, and re-review those files for attacker-planted hooks/servers.

Prevention

prevention/npm-hardening.md — pin versions; use --ignore-scripts; cooldown before adopting fresh releases of credential-adjacent CLIs. → prevention/credential-hygiene.md — don't leave long-lived cloud/GitHub/npm tokens on dev machines; treat logged-in AI tools as credential stores worth protecting. → prevention/mcp-hygiene.md → Treat npm install -g of any security/credential tool as high-risk; prefer official signed binaries over the npm distribution where one exists.

Sources