Attackers published a malicious command-line version of the popular open-source password manager to the npm registry and may be behind a spate of recent supply chain attacks.

CSO Online offers insights into cybersecurity, risk management, and IT leadership, providing articles, reports, and expert analysis to help security professionals navigate the evolving threat landscape and protect their organizations from cyber attacks. By exploring CSO Online's curated content, CISOs, security managers, and IT executives can learn about threat intelligence, security frameworks, and incident response strategies for building resilient cybersecurity programs. Whether you're defending against ransomware, phishing attacks, or insider threats, CSO Online offers resources to strengthen your security posture and safeguard your digital assets.

CSO Online

A malicious version of Bitwarden CLI (v2026.4.0) was published to the npm registry after attackers compromised a GitHub Action in Bitwarden's CI/CD pipeline. The trojanized package was live for roughly 1.5 hours before being removed. It contained a custom loader that harvested a wide range of developer and cloud credentials — including GitHub tokens, npm tokens, AWS/GCP keys, SSH keys, and AI agent API keys — and actively weaponized found GitHub tokens to escalate access and extract secrets from CI/CD workflows. The attack is attributed to a group called TeamPCP, linked to recent supply chain compromises of Checkmarx KICS and the Trivy scanner. Affected users should rotate all developer and cloud credentials immediately and follow a detailed remediation checklist.

Bitwarden CLI password manager trojanized in supply chain attack

<p>AI has amplified the power of malware attacks.</p>
