A malicious Bitwarden CLI version briefly hit npm, harvesting developer tokens and exfiltrating encrypted data via GitHub repos. Bitwarden says vault and end-user data weren’t accessed.
Developer tools are supposed to be the boring part of the software world—until the day an attacker sneaks a hand into the supply chain. Misryoum reports that the Bitwarden CLI npm package was briefly compromised.
The incident centers on a malicious npm release labeled 2026.4.0.. Misryoum says it was available for a short window on April 22, 2026 (between 5:57 PM and 7:30 PM ET) before being removed.. Bitwarden later confirmed the breach was limited to its npm distribution mechanism for the CLI and affected only users who downloaded the tainted version.
Bitwarden’s own remediation messaging is specific: it reports no evidence that end-user vault data was accessed or at risk. and no signs that production systems or production data were compromised.. Misryoum also notes that Bitwarden says it revoked compromised access, deprecated the affected npm release, and initiated remediation steps immediately.. The key takeaway for developers is narrower than “your vault is compromised”—but broader in operational impact: if your machine ran the malicious CLI package. your credentials may have been harvested.
What the malicious package actually did
Multiple incident reviews describe the compromise as a classic “trusted package, malicious execution” scenario.. Misryoum reports the attackers embedded a credential-stealing payload into the CLI package lifecycle. leveraging npm install behavior so that a preinstall step and the CLI entry point triggered additional code.
According to reports, the package used an internal loader (named bw_setup.js) to check whether the Bun runtime exists.. If Bun wasn’t present, the loader would download it, then start an obfuscated script (bw1.js).. Misryoum highlights the significance of this approach: it increases the odds the payload runs successfully across developer environments and CI/CD systems. where runtime assumptions can vary.
The malware reportedly collected a wide range of secrets from infected systems. including npm tokens. GitHub authentication tokens. SSH keys. and cloud credentials spanning AWS. Azure. and Google Cloud.. Misryoum also notes that the stolen data was encrypted using AES-256-GCM before being exfiltrated.
How the data left the machine—and how it spread
Exfiltration reportedly happened by creating public GitHub repositories under the victim’s account, with encrypted data stored inside them.. Misryoum points out that this is more than just “sending data out”—it’s using the victim’s own authenticated identity to do the exporting. which can blur detection signals.
OX Security reports those repositories included a specific string: “Shai-Hulud: The Third Coming.” Misryoum mentions this because it links the technique to earlier npm supply-chain incidents using similar exfiltration markers, suggesting either shared tooling or a reused playbook.
The package also showed self-propagation features.. Misryoum reports it could use stolen npm credentials to identify packages the victim could modify and then inject malicious code into downstream targets.. In other words. the blast radius wasn’t only “what the attacker took”—it could include “what the attacker built afterward.”
Why this looks connected to a wider supply chain problem
Misryoum reports that the attack appears to have been driven by compromised CI/CD infrastructure. The current reporting suggests attackers used a compromised GitHub Action in Bitwarden’s CI/CD pipeline to inject malicious code into the npm package before it reached users.
The timing matters, too.. Misryoum notes that this incident follows another separate supply chain disclosure involving Checkmarx. where KICS Docker images. GitHub Actions. and developer extensions were implicated.. Bitwarden stated its incident was linked to that Checkmarx supply chain event. suggesting the compromised development tool enabled abuse of the npm delivery path for the CLI.
There are also reported overlaps at the malware and infrastructure level, including matching telemetry endpoints and shared obfuscation patterns.. Misryoum reads these overlaps as an important warning for defenders: even when the affected brand is different (Bitwarden here. Checkmarx earlier). the underlying abuse chain may be part of one broader campaign.
The practical risk for developers (and what to do next)
For most readers. the most useful question isn’t “was Bitwarden hacked?” It’s “what did my environment do during install?” Misryoum emphasizes that Bitwarden’s confirmation limits certainty about vault access. but the described secret theft means the safer assumption is that credentials exposed during installation could be compromised.
Developers who installed the affected version should treat relevant secrets as at risk—especially anything tied to CI/CD pipelines. cloud storage. and developer environments.. Misryoum recommends rotating exposed credentials immediately and focusing on tokens used by automation. because CI systems often have the highest leverage and the longest-lived access.
This incident is also a reminder that supply chain attacks increasingly target the moment code becomes “trusted. ” not the moment it runs.. npm lifecycle scripts, build pipelines, and developer tooling are where confidence is granted automatically.. Misryoum expects future attacks to keep leaning into those trust seams.
Looking forward. the industry pressure will likely shift toward stricter verification and tighter CI/CD hygiene: pinning dependencies. auditing publish workflows. and monitoring npm release activity with faster revocation paths.. Misryoum will be watching how Bitwarden and other toolmakers adapt—not just to patch a single package. but to reduce the chance that one compromised pipeline step can reach so many developers in such a short time.