Itnews.Au
Bitwarden CLI Compromised in Supply Chain Attack via npm
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
A malicious version of the Bitwarden CLI password manager was distributed via npm, affecting version 2026.4.0 for a brief window on April 22, 2026. The attack exploited a compromised GitHub Action in Bitwarden's CI/CD pipeline, allowing attackers to inject a credential-stealing payload named bw1.js. This malware targeted sensitive developer credentials, including GitHub tokens, AWS and Azure credentials, and SSH keys. Bitwarden confirmed that no end-user vault data was accessed, and production systems remained secure. The malicious package was available for 93 minutes before being removed, and affected users are advised to uninstall the compromised version and rotate their credentials. This incident is linked to a broader supply chain attack involving Checkmarx, which has been under scrutiny for multiple security breaches. The attack highlights the risks associated with CI/CD environments and the potential for widespread credential theft.
Key Points: • The Bitwarden CLI version 2026.4.0 was compromised for 93 minutes on April 22, 2026. • Malware injected via a compromised GitHub Action targeted sensitive developer credentials. • No end-user vault data was compromised, but affected users must rotate their credentials.