A serious supply chain attack has compromised the Bitwarden command-line interface (CLI), with attackers injecting malicious code into an official npm package. The incident is part of a broader ongoing campaign linked to the Checkmarx supply chain attacks, which have targeted multiple developer tools and ecosystems.
The affected version, identified as @bitwarden/cli@2026.4.0, contained a malicious file named bw1.js. This code was introduced after attackers exploited a GitHub Actions workflow within Bitwarden’s CI/CD pipeline, allowing them to tamper with the build process and distribute a compromised package through official channels.
Once installed, the malicious package acted as a credential-stealing tool, targeting sensitive developer data such as GitHub and npm tokens, SSH keys, environment variables, and cloud credentials. The malware could encrypt the stolen data and exfiltrating it to attacker-controlled domains, significantly increasing the risk of further compromise across development environments.
Security researchers also found that the attack could escalate into a wider supply chain breach. If GitHub tokens were captured, attackers could inject malicious workflows into repositories, extract CI/CD secrets, and propagate the attack across multiple projects. This capability makes even a single compromised developer system a potential entry point for large-scale organizational breaches.
The malicious package was available for a limited window on April 22, 2026, before Bitwarden identified and contained the issue. The company revoked compromised access, removed the affected release, and initiated remediation steps. Importantly, Bitwarden confirmed that there is no evidence that user vault data, production systems, or the core codebase were compromised.
The incident highlights the growing threat of supply chain attacks targeting trusted development tools. As attackers increasingly exploit CI/CD pipelines and open-source ecosystems, organizations are being urged to audit dependencies, monitor build systems, and rotate any potentially exposed credentials to mitigate risks.
, with attackers injecting malicious code into an...){kind=link}