The Bitwarden CLI npm package (@bitwarden/cli) was briefly compromised on April 22, 2026, when attackers uploaded a malicious version 2026.4.0 that remained available for about 90 minutes. Threat actors exploited a compromised GitHub Action in Bitwarden's CI/CD pipeline to inject a credential-stealing payload. The malware collected npm tokens, GitHub auth tokens, SSH keys, and cloud credentials (AWS, Azure, GCP), then exfiltrated them via public GitHub repositories. It also had self-propagation capabilities, using stolen npm credentials to inject malicious code into other packages the victim could modify. The attack has been linked to threat actor TeamPCP and shares infrastructure with a concurrent Checkmarx supply chain breach. Bitwarden confirmed no vault data was compromised. Affected developers should rotate all credentials immediately.
Sort: