On April 20, 2026, at around 5:00 pm CET, the coding world was alerted after a widely used tool called @bitwarden/cli was found to be compromised. According to researchers at GitGuardian, who shared their analysis with Hackread.com, the attack was a calculated operation by a group called TeamPCP, who used what researchers describe as a cross-campaign pivot to exploit trusted developer tools.
For context, Bitwarden is an open-source password manager that stores and encrypts sensitive data like passwords, API keys, and secure notes in a protected vault, accessible across devices. It uses end-to-end encryption so only the user can read their data.
The Bitwarden CLI is a command-line interface that lets developers interact with the vault directly from a terminal, often used in scripts, automation, and CI pipelines to retrieve secrets. The Bitwarden CLI package, typically distributed via npm as @bitwarden/cli, is the installable version of this tool, making it easy for developers to integrate secure credential access into development workflows.
The Return of Shai Hulud
The hackers used a self-propagating worm known as Shai-Hulud (also tracked as CanisterSprawl). Most malware fails when its home base is blocked, but this one has a backup plan. Researchers noted that if the malware cannot reach its primary site, auditcheckmarxcx, it uses GitHub itself as a fallback C2 (command and control) server. It searches public GitHub commits for a specific tag: LongLiveTheResistanceAgainstMachines.
Further investigation revealed that these public posts contained secret PATs (Personal Access Tokens) and new instructions. In one instance, the hackers used a repository named helloworm00/hello-world to broadcast a new exfiltration domain: safely-irc-weblogs-fewtrycloudflarecom.
The malware then creates a new repository under the victim’s own GitHub account to upload encrypted credential blobs. This approach makes the theft look like normal developer activity.
Targeting AI Assistants
Shai-Hulud is also designed to poison AI coding assistants. It scans the system for six specific tools: Claude Code, Gemini CLI, Codex CLI, Kiro CLI, Aider, and OpenCode. If found, the malware injects a 3,500-byte heredoc block (a method of inserting a large chunk of code directly into a script) into the ~/.bashrc and ~/.zshrc files.
These files, for your information, serve as a startup script for the computer’s command line. So, this step is crucial because by injecting code here, the malware ensures it runs automatically every time a developer opens their terminal.
Unusual Discovery
A shocking finding is that the initial access vector was Dependabot, a trusted automation bot built into GitHub. This tool automatically fetched a trojanized Checkmarx KICS Docker image (specifically the checkmarx/kics:latest tag) on April 22, 2026.
“One confirmed victim environment shows the attack began with the Checkmarx KICS Docker image compromise on April 22, 2026. Dependabot pulled the trojanized checkmarx/kics:latest tag during an automated dependency update, executing the payload in CI with access to repository secrets. This confirms the cross-campaign pivot that TeamPCP has used throughout this wave: compromise a trusted CI tool, harvest runner credentials, use those credentials to propagate further,” the report reveals.
This was particularly difficult for researchers to stop. That’s because Dependabot is a trusted, automated system designed to increase security; however, here it was used to bypass human review entirely. Since it runs with elevated CI (Continuous Integration) permissions, the hackers were able to steal repository secrets with zero human intervention.
“This isn’t a developer manually installing something sketchy,” Lead researcher Guillaume Valadon noted in the blog post, explaining that because Dependabot ran automatically, “no one was watching.” This allowed the threat actors to steal credentials and propagate the attack further.
To prevent future incidents, researchers recommend that companies apply a cooldown period before installing new dependency updates to give the security community enough time to find and flag any hidden malware before it reaches your system.
