Bitwarden CLI compromised as part of supply-chain campaign

Threat summary

On April 22, Bitwarden disclosed that the official Bitwarden Command Line Interface (CLI) distributed through npm, Bitwarden CLI version 2026.4.0, was compromised as part of an ongoing software supply-chain campaign.

According to Bitwarden, the incident was limited to the npm distribution channel for the CLI, meaning the malicious code was introduced only at the point the package was built and published to the npm registry, and did not affect the Bitwarden CLI source code repository, prebuilt binaries, browser extensions, hosted services, or customer vault infrastructure. The malicious package was available for a limited window between 5:57 PM and 7:30 PM (ET), after which it was detected, deprecated, and removed.

Bitwarden stated there was no evidence that Bitwarden vault data, production systems, or other product distribution paths were accessed during the incident.  

The Bitwarden CLI is commonly used by developers and automation systems to interact programmatically with Bitwarden vaults, including within Continuous Integration and Continuous Deployment (CI/CD) pipelines. Multiple analyses show the compromised package was designed to harvest credentials from developer and build environments, including GitHub and npm tokens, SSH keys, environment variables, shell history, and cloud service credentials.

This activity follows a supply chain incident disclosed by Checkmarx on March 23, in which threat actors compromised Checkmarx GitHub Actions workflows and OpenVSX developer plugins distributed through a third-party channel. Researchers assess that the Bitwarden CLI compromise represents a continuation of the same campaign, rather than an isolated attack, using similar infrastructure, credential theft tooling, and abuse of trusted build and publishing workflows.

Threat actors associated with this activity are assessed to align with the group tracked as TeamPCP, previously linked to the Shai-Hulud supply chain campaign. Across multiple incidents, the campaign has a consistent approach:

• Compromise automation paths instead of targeting end users directly

• Harvest credentials from developer and build systems

• Reuse those credentials to extend access into additional tools, repositories, and environments

By operating within trusted software delivery mechanisms, the campaign enables threat actors to bypass many traditional security controls.

Analysis

Any environment that installed Bitwarden CLI version 2026.4.0 during the affected window is potentially exposed to credential theft. Because those credentials are often reused across source control platforms, CI/CD pipelines, and cloud environments, a single compromised developer endpoint or build system can create downstream risk across multiple customer environments.

The campaign highlights how attacks against developer tooling can scale quickly through shared automation and trust relationships.  

Risk reduction efforts include:

• Identifying any developer endpoints or automation systems that installed Bitwarden CLI version 2026.4.0 between 5:57 PM and 7:30 PM ET on April 22, 2026

• Rotating credentials accessible to those systems

• Reviewing GitHub repositories and Actions workflows for unauthorized changes

Bitwarden has stated that environments that did not download the affected version are not impacted.  

This campaign reinforces the need for visibility into developer tooling and CI/CD usage across customer environments. Limiting token permissions, enforcing tighter controls around automated publishing workflows, and monitoring package installation events reduce the risk when a trusted distribution channel is abused.

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up