Bitwarden CLI Compromised in Supply Chain Attack via npm

Bitwarden CLI Compromised in Supply Chain Attack via npm

First seen 24 Apr 2026, 07:55 UTC ThehackernewsCybersecuritynewsBleepingcomputerItnews.AuHeise.De+13 85% similarity 74.0

Article Content

Browse articles
ThreatCluster

A malicious version of the Bitwarden CLI password manager was distributed via npm, affecting version 2026.4.0 for a brief window on April 22, 2026. The attack exploited a compromised GitHub Action in Bitwarden's CI/CD pipeline, allowing attackers to inject a credential-stealing payload named bw1.js. This malware targeted sensitive developer credentials, including GitHub tokens, AWS and Azure credentials, and SSH keys. Bitwarden confirmed that no end-user vault data was accessed, and production systems remained secure. The malicious package was available for 93 minutes before being removed, and affected users are advised to uninstall the compromised version and rotate their credentials. This incident is linked to a broader supply chain attack involving Checkmarx, which has been under scrutiny for multiple security breaches. The attack highlights the risks associated with CI/CD environments and the potential for widespread credential theft.

Key Points: • The Bitwarden CLI version 2026.4.0 was compromised for 93 minutes on April 22, 2026. • Malware injected via a compromised GitHub Action targeted sensitive developer credentials. • No end-user vault data was compromised, but affected users must rotate their credentials.

ThreatCluster AI

Timeline

2026-04-22
Malicious Bitwarden CLI version 2026.4.0 distributed via npm
2026-04-22
Malicious package removed after 93 minutes
2026-04-23
Bitwarden confirmed incident and advised users to take action

Community

Browse all →