bw1.js

First, it validates stolen GitHub tokens against https://api.github.com/user .

JFrog security researchers identified a hijacked npm package published as @bitwarden/cli version 2026.4.0, impersonating the legitimate Bitwarden command line client.

When a valid npm token with bypass_2fa and package:write permissions is found, the malware pivots to active supply chain propagation... injects preinstall: node setup.mjs into package.json... Republishes to npm with the stolen auth token. | Bitwarden’s command-line interface (CLI) has been compromised in a software supply chain attack. The malicious version 2026.4.0 of the npm package @bitwarden/cli was available on npm...

the payload used them to inject malicious workflows into victim repositories, giving the attacker a durable foothold and an automated path to spreading further.

The shell collector explicitly runs gh auth token and also captures process.env

The malicious package.json declares version 2026.4.0 with legitimate-looking Bitwarden metadata. The attack vector is a single field: { "name": "@bitwarden/cli", "version": "2026.4.0", "scripts": { "preinstall": "node bw_setup.js" } } ... preinstall runs before npm finishes installing the package. The developer does not need to run the tool or import it. Installing is enough.

When a live AI tool is detected, the malware appends the following to both ~/.bashrc and ~/.zshrc ... AI coding assistants routinely read shell configuration files ... That content lands in the AI’s context window as if the developer had written it.

the payload used them to inject malicious workflows into victim repositories, giving the attacker a durable foothold and an automated path to spreading further.

First, it validates stolen GitHub tokens against https://api.github.com/user .

With a working PAT, it creates a repository in the victim account and uploads encrypted JSON blobs under a results/ directory.

When an AI CLI tool is found... the malware calls appendFileSync on both ~/.bashrc and ~/.zshrc...

stolen GitHub tokens were weaponized in-line: the payload used them to inject malicious workflows into victim repositories, giving the attacker a durable foothold and an automated path to spreading further.

the payload used them to inject malicious workflows into victim repositories, giving the attacker a durable foothold and an automated path to spreading further.

First, it validates stolen GitHub tokens against https://api.github.com/user .

When an AI CLI tool is found... the malware calls appendFileSync on both ~/.bashrc and ~/.zshrc...

bw1.js is 9.7 MB of heavily obfuscated JavaScript processed through obfuscator.io. It contains a 43,436-entry string lookup table using a custom base64 alphabet, a seeded pseudo-random scramble table for the most sensitive strings (C2 domain, file paths), and six gzip-compressed payload blobs referenced by index.

First, it validates stolen GitHub tokens against https://api.github.com/user .

Before performing any malicious activity, bw1.js runs a gauntlet of self-termination checks... System locale starts with ru... process.exit(0)... Not running in any CI/CD environment and daemonization fails... process.exit(0).

When a live AI tool is detected, the malware appends the following to both ~/.bashrc and ~/.zshrc ... AI coding assistants routinely read shell configuration files ... That content lands in the AI’s context window as if the developer had written it.

stolen GitHub tokens were weaponized in-line: the payload used them to inject malicious workflows into victim repositories, giving the attacker a durable foothold and an automated path to spreading further.

looks for AWS credentials in ~/.aws/credentials... targets GCP credential storage in ~/.config/gcloud/credentials.db ... AWS, GCP, and Azure secrets

mcpAddon.js is designed to sweep development environments for high-value secrets, including GitHub tokens, npm tokens, AWS/Azure/GCP credentials, SSH keys, environment variables, and configuration files for Claude and other AI tools.

All extend a common $f base class with pattern-matching for ghp_*, gho_* (GitHub tokens), and npm_* (npm tokens)... Filesystem scanner... plausible targets include ~/.ssh/id_rsa, ~/.npmrc, ~/.aws/credentials...

The malicious payload collects CI secrets such as SSH keys or API tokens... plausible targets include ~/.ssh/id_rsa...

MITRE attack mapping ... Credential Access T1552.001 / .004 / .007 Files, private keys, container/cloud API

The filesystem sweep went after... SSH private keys, .git-credentials, .npmrc, .env files... AWS credential and config files... GCP credentials... Azure credentials... and a comprehensive pile of token files. | The shell collector explicitly ran gh auth token to grab the user's GitHub CLI token, then scanned process.env for anything matching ghp_[A-Za-z0-9]{36} ... or npm_[A-Za-z0-9]{36,} ...

stolen GitHub tokens were weaponized in-line: the payload used them to inject malicious workflows into victim repositories, giving the attacker a durable foothold and an automated path to spreading further.

It steals credentials from cloud providers, AI tool configurations, SSH keys, and git credentials... Linux targets: ~/.ssh/id_* SSH private keys ... ~/.aws/credentials AWS access keys ... ~/.config/gcloud/credentials.db Google Cloud credentials ... .git-credentials Git credentials

The payload runs three primary collectors: A filesystem collector A shell and environment collector A GitHub Actions runner collector

Filesystem scanner, Walks OS-specific 'hotspot' paths... reading files up to 5 MB each... Windows targets are plaintext in the binary: ['.env', 'config.ini'].

Before performing any malicious activity, bw1.js runs a gauntlet of self-termination checks... System locale starts with ru... process.exit(0)... Not running in any CI/CD environment and daemonization fails... process.exit(0).

Enumerates all packages the token can publish to via /whoami, /-/org/<org>/package , and /-/v1/search?text=maintainer:<user>&size=250

The first thing bw1.js does after loading is check whether the machine has a Russian locale configured... If any of them contain ru, the process exits cleanly with code 0.

Seven independent collectors run in parallel and feed a shared result store... Filesystem scanner... Shell and environment scanner... dumps the entire process.env object.

The payload runs three primary collectors: A filesystem collector A shell and environment collector A GitHub Actions runner collector

The session key is then RSA-2048 OAEP encrypted with the Fr public key, bundled together as tpcp.tar.gz , and POSTed to https://audit.checkmarx.cx/v1/telemetry .

bw_setup.js ... downloads the Bun JavaScript runtime (version 1.3.13) from GitHub’s official release endpoint and use it to execute the main payload, bw1.js .

If the primary C2 is unreachable, the malware falls back to searching GitHub’s commit API for C2 instructions embedded in public Git commit messages.

The primary exfil channel was audit.checkmarx[.]cx/v1/telemetry, a domain that typosquats the real checkmarx.com and was designed to look like legitimate telemetry from a security tool. | If the primary endpoint is unreachable, the payload uses a stolen GitHub PAT to create a new public repository on the victim’s GitHub account... Encrypted results get committed as results/results-<timestamp>-<counter>.json batches...

then creates a new repo under the victim’s account and uploads encrypted result blobs there.