GitGuardian analysis of the @bitwarden/cli compromise: GitHub used as C2, new Cloudflare exfiltration domain found, linked to April 22 Checkmarx KICS compromise via Dependabot.

GitGuardian Blog provides insights, tutorials, and updates on secrets management, code security, and developer best practices. Covering topics such as credential leaks, code scanning, and secure development workflows, GitGuardian Blog offers resources for developers, security professionals, and DevOps teams. Readers can learn about detecting and preventing secrets exposure, securing code repositories, and implementing secure coding practices through GitGuardian's articles and security guides.

GitGuardian

GitGuardian's analysis of the @bitwarden/cli npm package compromise reveals a sophisticated supply chain attack. The malware uses GitHub as a C2 channel, staging stolen PATs in public commit messages tagged with 'LongLiveTheResistanceAgainstMachines' and discovering exfiltration domains via 'beautifulcastle' commits. A new Cloudflare exfiltration domain was identified: safely-irc-weblogs-few[.]trycloudflare[.]com. One confirmed victim was compromised via the Checkmarx KICS Docker image, which was pulled automatically by Dependabot during a CI dependency update — giving the malware access to repository secrets. GitGuardian links this to the broader TeamPCP campaign and recommends applying cooldown periods to automated dependency updates.

GitGuardian Views on helloworm00

Initial access vector: KICS via Dependabot