An ongoing software supply chain hacking spree has now affected Bitwarden, one of the most popular password managers, after hackers injected malware into its CLI tool. The company says vault data remains intact and that no regular users are affected, but some developers should be worried.
The same attackers who compromised Checkmarx's popular security tools with self-replicating malware have also found a way into Bitwarden’s NPM package.
They published a malware-laden version of Bitwarden CLI on the npm repository. Bitwarden CLI is a terminal tool for advanced users or system administrators to interact with the password manager programmatically.
The Bitwarden security team acknowledges that the incident took place between 5:57 p.m. and 7:30 p.m. (ET) on April 22nd, 2026, when the malicious package was distributed.
Users who downloaded the Bitwarden CLI version 2026.4.0 during the brief window are urged to treat their systems as compromised and to assume their credentials are exposed.
“Users who did not download the package from npm during that window were not affected. Bitwarden has completed a review of internal environments, release paths, and related systems, and no additional impacted products or environments have been identified at this time,” Bitwarden posted a security advisory on their community forum.
While over 10 million users use Bitwarden's open-source password manager, only 334 unlucky developers downloaded the malicious CLI tool, as noted by Eran Medan, Co-Founder and CTO at Arnica.
However, even a single compromised developer machine can be turned into another supply chain attack pivot point, warns StepSecurity.
The security firm says that the cyberattack stems from a compromised Bitwarden engineer's GitHub account.
“The attacker created a new branch in the bitwarden/clients repository, staged a prebuilt malicious tarball, and rewrote the publish-cli.yml workflow to exchange a GitHub Actions OIDC token for an npm auth token via the npm registry API. The workflow then used that token to publish the staged tarball directly to npm,” StepSecurity explained in a threat intel report.
The attackers deleted all workflow runs, the branch, and the release tag, leaving only the published npm package.
As in previous supply chain attacks, the compromised package silently delivers credential-stealing malware that targets SSH keys, tokens, AWS and GCP credentials, environment variables, and more. However, in this case, the malware for the first time also grabbed secrets from AI assistants, such as Claude Code, Codex CLI, and others.
Security teams urge affected users to uninstall the compromised npm package and check that no malicious files remain. More importantly, rotate all credentials on every machine and CI/CD pipeline where the package was installed, check GitHub for malicious workflow injections as well as packages for potential compromise.
Attribution unclear
Bitwarden CLI is the third supply chain attack in three days. It's yet unclear who's behind the attack. TeamPCP, a new and financially motivated threat group, previously claimed responsibility for the Checkmarx hack.
“The shared tooling strongly suggests a connection to the same malware ecosystem, but the operational signatures differ in ways that complicate attribution. The Checkmarx attack was claimed by TeamPCP via the @pcpcats social media account after discovery, and the malware itself attempted to blend in with legitimate-looking descriptions,” Socket writes in its advisory.
However, the researchers also noted some differences: this time, the payload contains embedded ideological branding, from the Shai-Hulud repository names to the “Butlerian Jihad” manifesto, anti-machine resistance messages.
“This suggests either a different operator using shared infrastructure, a splinter group with stronger ideological motivations, or an evolution in the campaign's public posture.”
Time to think about long-term hardening
The ongoing supply chain attacks require long-term controls and hardening to reduce potential blast radius, as they’re unlikely to stop in the future.
“How can you protect yourself from future attacks like this? Setting ‘min-release-age=7’ in ~/.npmrc (needs npm 11.10+) would have protected you. Same story for the malicious axios (@1.14.1 and @0.30.4, removed within ~3h), ua-parser-js (hours), and node-ipc (days),” said Medan on LinkedIn.
“It’s not a silver bullet – it wouldn’t have helped with event-stream (sat for 2+ months), but you can’t win them all.”
Socket, a security firm, recommends locking down token scopes, requiring short-lived credentials where possible, restricting who can create or publish packages, hardening GitHub Actions permissions, disabling unnecessary artifact access, and monitoring for new public repositories or workflow changes created outside normal release processes.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked