CRITICAL·supply-chain

Bitwarden CLI hijacked — supply-chain malware hunting Cursor / Codex / Claude credentials

A supply-chain attack hijacked the Bitwarden CLI. The malware specifically scanned filesystem paths used by AI coding tools — `.claude/`, `.cursor/`, `.continue/` — to harvest API keys for Claude, Cursor, and OpenAI Codex. The targeting was deliberate; AI-coding-tool credentials are now a high-value attacker objective.

Victim: Bitwarden CLI users (especially those running Cursor / Codex / Claude Code)

What happened

VibeEval Weekly and State of Surveillance reported the Bitwarden CLI compromise as part of the same April 2026 wave that included the Lovable BOLA breach and the Vercel × Context.ai incident. Together, the three breaches signaled that AI-tool-adjacent credentials are a discrete, lucrative class of attacker target — separate from generic AWS / GCP key hunting.

Timeline

  1. Compromised Bitwarden CLI release pushed to package registries.

  2. Malware scans filesystem for `.claude/`, `.cursor/`, `.continue/` directories on infected hosts.

  3. Harvested credentials exfiltrated to attacker infrastructure.

  4. VibeEval Weekly reports the incident as part of the April 2026 vibe-coding security wave.

Root cause

Supply-chain compromise of the Bitwarden CLI distribution chain. Combined with the explicit targeting of AI-coding-tool dot-directories, the attack reflects the new economic reality: AI-service API keys (Anthropic, OpenAI, OpenRouter) carry high LLMjacking value — a single Claude Opus key can rack up $50,000-$100,000/day per the documented 4.5-day victim case.

Impact

  • Unknown number of Bitwarden CLI users affected
  • Targeted harvest of Claude / Cursor / Codex / OpenAI credentials
  • Per Lakera's April 2026 research, 33 of 428 npm packages containing `.claude/settings.local.json` had live credentials
  • Estimated millions in LLMjacking damages downstream
Would Securie have caught it?

Yes — for the credential-hygiene side. Securie's secrets-lifecycle specialist flags AI-coding-tool credentials stored in `.claude/`, `.cursor/`, `.continue/` directories before commit / publish. The secret_scanner specialist's live_validate step probes for dot-directory inclusion in npm publish artifacts. Combined, every commit that adds these dot-dirs to a package gets a critical-severity finding before npm publish — which is exactly the artifact this attacker exploited downstream.

Lessons

  • Add `.claude/`, `.cursor/`, `.continue/` to .gitignore + .npmignore by default
  • Rotate AI-service API keys quarterly — LLMjacking damage scales with key age
  • AI coding tools should accept env-var-only credentials, never plaintext config
  • Supply-chain CLI tools are now targeted with AI-key-aware malware

References