The Butlerian Jihad: Compromised Bitwarden CLI Deploys Npm Worm, Poisons AI Assistants, and Dumps GitHub Secrets

Supply‑chain attacks on JavaScript ecosystems have surged as attackers exploit the trust developers place in popular tools. By publishing a counterfeit version of Bitwarden’s CLI, the threat actors leveraged the package’s legitimate reputation to reach a broad audience of developers who routinely install password‑manager utilities. npm’s open publishing model, combined with the preinstall script capability, creates a low‑friction vector for malicious code to execute before any user interaction, turning a routine dependency install into a full‑blown compromise.

The payload uses a layered approach: a preinstall script fetches the Bun runtime, then runs an obfuscated JavaScript dropper that enumerates and exfiltrates credentials from AWS, GCP, Azure, SSH, and even AI tool configuration files such as Claude and Kiro. It also injects a custom GitHub Actions workflow that serializes the entire secrets context into an artifact, giving the attackers persistent access to CI/CD pipelines. A novel twist is the invisible manifesto appended to ~/.bashrc and ~/.zshrc; while harmless to the shell, AI coding assistants that read these files ingest the text, effectively poisoning the model’s context without any executable trace.

For enterprises, the incident underscores the need for stricter supply‑chain hygiene: enforce signed commits, limit token scopes, and monitor preinstall scripts in dependencies. Automated scanning for unexpected workflow files and sudden changes in shell configs can surface early indicators of compromise. Rotating all tokens, revoking overly permissive GitHub scopes, and adopting zero‑trust CI/CD practices are essential steps to mitigate the fallout and prevent similar attacks from leveraging trusted open‑source projects as a delivery mechanism.