The Peril of Entrypoint Rewiring: A Deep Dive into the @bitwarden/cli Hijacking Incident

A sophisticated attack targeting software supply chain security has recently been discovered, sending shockwaves through the developer community. According to a report from JFfrog Security Research, malicious code was found in version 2026.4.0 of the npm package @bitward[.]rden/cli, which impersonates the Command Line Interface (CLI) of the well-known password management tool, Bitwarden.

What makes this incident particularly alarming is that it goes far beyond mere "typosquatting"—the practice of creating similar-looking package names. The attackers cleverly "rewired" the package's execution path, known as the "entrypoint," while maintaining the legitimate Bitwarden metadata. This represents a textbook example of a highly sophisticated supply chain attack, where developers inadvertently introduce malicious code into their environments while attempting to update or install familiar tools.

Analyzing the Invisible Penetration Mechanism: Entrypoint Rewiring

The core technology behind this attack lies in "entrypoint rewiring," which involves manipulating the package's preinstall scripts and the execution point of the bw binary. JFrog's analysis revealed that instead of the legitimate CLI, the attackers modified the package configuration to execute a custom loader called bw_setup.js.

Specifically, the malicious package sets the preinstall field within package.json to node bw_setup.js and modifies the bw command in the bin section to also point to bw_setup.js. Consequently, the malicious loader triggers both when a user installs the package via npm (preinstall) and when they attempt to run the actual tool using the command line (bw).

The operational logic of this loader is remarkably meticulous. bw_setup.js first checks if the 'Bun' runtime is installed on the system. If it is not, the script downloads the Bun runtime directly from GitHub (the attackers utilized github.com/oven-sh/bun as a source) to establish an execution environment. Once set up, it executes a large, obfuscated JavaScript payload. This high-level evasion technique exploits a legitimate open-source project (Bun) as a tool for environment setup to bypass detection by security solutions.

Widespread Data Exfiltration and the Dual-Channel Strategy

The attackers' targets extend far beyond simple personal information. An analysis of the de-obfuscated payload revealed that the attackers aimed for nearly every critical credential extractable from a developer's workstation or CI/CD environment. Targeted data included GitHub and npm tokens, SSH keys, shell history, and secrets for cloud services such as AWS, GCP, and Azure—even extending to GitHub Actions secrets and AI tool configuration files.

The attackers employed a dual-channel strategy for exfiltrating this data:

1. Primary Channel: Stolen data is transmitted in an encrypted telemetry format to the audit.checkmarx.cx/v1/telemetry server. The JFrog research team confirmed this server as the primary destination for the attackers.
2. Fallback (Backup) Channel: To prepare for instances where the primary channel might be blocked, the attackers utilized GitHub as a backup route. Based on data received through public commit messages, the attackers would create new repositories in the victim's account and upload stolen data chunks (encrypted blobs) to those repositories.

Interestingly, a "Dune" theme was discovered within this process. The attackers used repository descriptions such as Shai-Hulud: The Third Coming and utilized terms from the novel Dune—such as sardaukar, fremen, atreides, and sandworm—for their randomly generated repository names. This suggests a potential link between this attack and the 'TeamPCP' campaign or other existing threat groups with similar thematic signatures.

Mitigation Strategies for Security Professionals and Developers

The @bitwarden/cli hijacking incident serves as a stark reminder of how vulnerable our trusted package management ecosystem can be. We need a new approach to security that goes beyond simple version checking to verify the integrity of the execution environment itself.

First, heightened vigilance regarding npm script execution is essential. It is a major red flag when a package installation triggers external network connections or file downloads during preinstall or postinstall phases. In CI/CD pipelines, you should implement policies to restrict the automatic execution of such scripts or monitor for suspicious behaviors.

Second, monitoring for entrypoint tampering is necessary. Even if a package's metadata (version, author, etc.) appears legitimate, a static analysis process should be implemented to check if the bin execution path has changed from its original state. In particular, loader patterns that dynamically build runtime environments must be prioritized for detection.

Third, strict adherence to the Principle of Least Privilege is critical. Cloud credentials and high-privilege tokens should never be stored directly on developer workstations or within CI/CD environments. To prevent stolen tokens from leading to total infrastructure compromise, the use of short-lived credentials should become standard practice.

In conclusion, supply chain attacks are evolving into increasingly "invisible" threats. The key to future security will lie in monitoring not just the outward appearance of a package, but its internal execution flow and network behavior.