Editorial

The Same Threat Actor Who Compromised LiteLLM Just Hit Bitwarden

RobertUpdated Apr 24, 20260 min read
Dark terminal-style blog feature image with a purple "threat actor · TeamPCP" badge. Top left shows the headline "The actor who hit LiteLLM just hit Bitwarden" with LiteLLM in red and Bitwarden in purple. Top right shows a TeamPCP actor profile card listing campaign span of 29 days, ecosystems PyPI and npm, method malicious_publish, and targets AI tooling and secrets management. Bottom section shows a three-panel timeline: the LiteLLM incident on 2026-03-24 marked confirmed, connected by a "same actor · 29d" label to the Bitwarden CLI incident on 2026-04-22 marked active, connected in turn to an attestd supply chain response panel showing compromised true, confidence 0.97, and sources osv, pypi, and manual.

The Same Threat Actor Who Compromised LiteLLM Just Hit Bitwarden#

On March 24, a threat actor known as TeamPCP published malicious versions of LiteLLM to PyPI. The packages were live for several hours, carrying a credential stealer that targeted API keys, cloud tokens, and environment secrets. We wrote about that attack when it happened and built Attestd's supply chain monitoring layer in direct response to it.

On April 22, the same threat actor compromised @bitwarden/cli version 2026.4.0 on npm. The malicious package was live for roughly 90 minutes before being pulled. The payload was the same credential theft framework. The C2 infrastructure was the same domain: audit.checkmarx.cx. The exfiltration pattern was the same.

This is not two separate incidents. It is one campaign that has been running since at least February, and Bitwarden is among the most widely used targets hit so far.

The campaign arc#

Security researchers at Socket, JFrog, and Mend have documented the full timeline:

  • February 2026: TeamPCP begins scanning GitHub for CI/CD pipelines with exploitable workflow permissions
  • March 19: Trivy (Aqua Security's vulnerability scanner) compromised via GitHub Actions. All 76 trivy-action tags hijacked.
  • March 23: Checkmarx KICS GitHub Action compromised. All 35 tags overwritten.
  • March 24: LiteLLM versions 1.82.7 and 1.82.8 published to PyPI with a credential stealer
  • April 21: Self-propagating npm worm via pgserve packages
  • April 22: Checkmarx KICS Docker images and VS Code extensions compromised in a second Checkmarx attack
  • April 22: @bitwarden/cli@2026.4.0 published to npm with the same payload framework, live for 90 minutes According to Socket's analysis, threat actors appear to have used a compromised GitHub Action inside Bitwarden's own CI/CD pipeline to inject malicious code into the CLI npm package. Socket observed overlapping indicators with the Checkmarx KICS compromise, suggesting the Checkmarx breach may have provided the initial foothold into Bitwarden's pipeline. Bitwarden's own statement confirmed the breach affected its npm distribution channel but did not detail the internal attack path.

Socket noted this appears to be among the first cases where a package was compromised via npm's trusted publishing mechanism, which was specifically designed to eliminate long-lived tokens as an attack vector.

What the Bitwarden payload targets and how it spreads#

The credential theft framework in @bitwarden/cli@2026.4.0 is more comprehensive than the LiteLLM attack. According to JFrog and Mend's analysis, it sweeps for SSH private keys, AWS credentials and SSM Parameter Store values, GCP credentials and Secret Manager secrets, Azure Key Vault secrets, GitHub tokens, npm auth tokens, shell history, .env files, GitHub Actions runner secrets, Claude Code authentication tokens (~/.claude.json), and MCP server configuration files (~/.claude/mcp.json, ~/.kiro/settings/mcp.json).

The stolen data is encrypted and exfiltrated to audit.checkmarx.cx, then committed to public GitHub repositories created under the victim's own account using harvested tokens. The repositories are named using Dune-universe vocabulary as staging points.

The payload also functions as a supply chain worm. If npm publish tokens are found on the compromised system, the malware identifies every package the victim can publish, injects itself, and republishes them with an incremented version number. Those newly infected packages execute the same process when installed. If PyPI credentials are present, the same propagation applies to Python packages via a .pth payload. A single compromised developer workstation becomes a distribution point for every package they maintain across both ecosystems.

What Attestd covers today#

Attestd's supply chain layer shipped on April 18, five days before the Bitwarden attack. The layer was built specifically in response to the LiteLLM incident.

litellm version 1.82.7 returns compromised: true in Attestd right now:

curl "https://api.attestd.io/v1/check?product=litellm&version=1.82.7" \
  -H "Authorization: Bearer YOUR_API_KEY"

{
  "product": "litellm",
  "version": "1.82.7",
  "supported": true,
  "risk_state": "none",
  "supply_chain": {
    "compromised": true,
    "sources": ["registry", "osv"],
    "malware_type": "backdoor",
    "description": "TeamPCP supply chain attack. Credential stealer in proxy_server.py",
    "advisory_url": "https://docs.litellm.ai/blog/security-update-march-2026",
    "compromised_at": "2026-03-24T10:39:00Z",
    "removed_at": "2026-03-24T16:00:00Z"
  }
}

The risk_state is none because there is no CVE for the LiteLLM compromise. The supply_chain.compromised is true because the package was a malicious publish. These are independent signals and you need both.

Bitwarden CLI is an npm package. Attestd monitors PyPI. The @bitwarden/cli package is outside Phase 1 scope. npm support is on the roadmap and this week is a clear reason why.

What to do if you installed @bitwarden/cli@2026.4.0#

Bitwarden has confirmed the affected window: 5:57 PM to 7:30 PM ET on April 22 2026. If you did not install or update the CLI during that window, you are not affected.

If you did install during that window, treat all credentials accessible from that environment as compromised. Rotate immediately:

  • GitHub tokens and npm auth tokens
  • AWS access keys and secrets
  • GCP credentials
  • Azure Key Vault secrets
  • SSH private keys
  • Any API keys in .env files
  • Claude Code tokens if ~/.claude.json was present Check GitHub for unexpected workflow files under .github/workflows/, unauthorised repository creation, and suspicious commits. The payload creates repositories named with Dune-universe vocabulary (fremen, sandworm, harkonnen, melange, etc.) as staging points.

Downgrade to @bitwarden/cli@2026.3.0 or use official signed binaries from Bitwarden's website directly.

The pattern#

TeamPCP's approach is consistent across every attack in this campaign. They identify developer tools that run in CI/CD pipelines and have broad access to secrets. They compromise the tool's own build pipeline to inject malicious code into a legitimate release. The malicious version carries the original package's metadata and branding, so it passes casual inspection. It executes on install without requiring any user interaction beyond npm install or pip install.

LiteLLM. Trivy. Checkmarx. Bitwarden. Each of these is a tool that developers trust deeply, often running with access to production credentials. That trust is the attack surface.

The credential theft payload is not changing much between attacks. The targeting is. TeamPCP is working through the list of tools that sit deepest in developer pipelines, and they are getting better at the CI/CD pivot technique with each iteration.

Supply chain monitoring#

Attestd monitors 26 PyPI packages for supply chain compromise. If any of them appear in your dependency graph with a known malicious publish, the /v1/check response will return supply_chain.compromised: true before you deploy.

The full monitored package list and integration guide is at attestd.io/docs/supply-chain.

Get an API key at api.attestd.io/portal/login. Free tier, 1,000 calls a month, no credit card required.