Attackers goal cloud and improvement credentials
The trojanized Bitwarden CLI model 2026.4.0 contained a customized loader known as bw_setup.js that checks if the bun package deal supervisor is put in after which makes use of it to execute bw1.js. If bun doesn’t exist, it’s downloaded and put in from GitHub.
In line with an evaluation by security agency JFrog, the malicious payload is designed to detect and accumulate a board vary of credentials and entry tokens from the filesystem, shell setting variables, and GitHub actions configurations. Focused credentials embody GitHub and npm tokens, AWS and GCP credentials, API keys from MCP and AI agent configurations, Git credentials, SSH keys, and extra.
If GitHub tokens are discovered, the malicious code mechanically weaponizes them by contacting https://api.github.com/person and attempting a number of escalation paths, together with executing GitHub Actions and itemizing secrets and techniques from their workflows.
