By T.O. Mercer · April 22, 2026 · 7 min read
Bitwarden CLI Compromised: Supply Chain Attack Steals Developer Secrets
A compromised version of Bitwarden's official CLI package sat on npm stealing GitHub tokens, SSH keys, cloud credentials, and shell history from every developer who installed it. Your vault encryption is probably fine. Everything around it might not be.
- The affected package is
@bitwarden/cli@2026.4.0. The malicious code was injected through a compromised GitHub Action in Bitwarden's CI/CD pipeline - The attack steals GitHub/npm tokens, SSH keys, .env files, shell history, GitHub Actions secrets, and cloud credentials. It does not target Bitwarden vault data directly
- This is part of the broader TeamPCP/Checkmarx supply chain campaign that has also hit Trivy, LiteLLM, and Checkmarx KICS across npm, PyPI, and Docker Hub
- If you installed the affected version, assume all credentials accessible to that environment are compromised
Is the Bitwarden vault safe? Yes. The April 2026 CLI compromise targeted developer environment credentials (SSH keys, GitHub tokens, cloud secrets), but Bitwarden's zero-knowledge AES-256 vault encryption remains unbreached. The malicious npm package @bitwarden/cli@2026.4.0 stole credentials stored outside the vault, not vault contents.
The malicious version has been removed from npm, but if you installed @bitwarden/cli@2026.4.0 at any point, the credential theft already occurred. Rotate everything. Do not wait for Bitwarden's official incident report.
What happened
Security firm Socket discovered that @bitwarden/cli@2026.4.0, the official Bitwarden command-line interface package on npm, was compromised through a supply chain attack on Bitwarden's CI/CD pipeline. Malicious code was published in a file called bw1.js included in the package contents.
The attack exploited a compromised GitHub Action in Bitwarden's build pipeline, the same CI/CD pipeline vulnerability used in the broader TeamPCP campaign that has been hitting open-source security tools since February 2026. TeamPCP previously compromised Trivy (Aqua Security's vulnerability scanner), Checkmarx's KICS GitHub Actions and Docker images, LiteLLM, and over 66 malicious npm packages.
According to JFrog's analysis reported by The Hacker News, the rogue version of the Bitwarden CLI package performed credential exfiltration on every system that installed it:
- Stole GitHub and npm authentication tokens
- Exfiltrated
.sshdirectories (your SSH private keys) - Read and transmitted
.envfiles (environment variables containing API keys, database credentials, and service tokens) - Captured shell history (every command you've typed, including any credentials passed as arguments)
- Harvested GitHub Actions secrets and cloud provider credentials (AWS, Azure, GCP)
- Exfiltrated the stolen data to private domains and as GitHub commits to attacker-controlled repositories
Is your Bitwarden vault safe?
Probably yes, but you need to understand the distinction.
Bitwarden's vault uses AES-256 encryption with a zero-knowledge architecture. Your master password decrypts your vault locally. Bitwarden's servers (and this compromised CLI package) never have access to your plaintext vault contents. The ETH Zurich research from February 2026 identified 12 theoretical attack vectors against Bitwarden's encryption, but none of them are relevant to this specific compromise.
This attack targeted the developer environment, not the vault. The malware harvested credentials that existed outside the vault: tokens in environment variables, SSH keys on disk, cloud credentials in config files. If you stored your Bitwarden master password or API key in a .env file or passed it as a shell argument (and many CI/CD scripts do exactly this), that specific credential is compromised and needs immediate rotation.
The distinction that matters: Bitwarden's vault encryption was not breached. Bitwarden's build pipeline was compromised, and the malware targeted every other credential on the system except the vault contents. The vault is the one thing that was properly encrypted. Everything around it was not.
The bigger picture: TeamPCP's supply chain campaign
This is not an isolated incident against Bitwarden. TeamPCP has been running a multi-month, multi-ecosystem campaign that has hit some of the most trusted names in developer security tooling.
The timeline:
- February 2026: TeamPCP's
hackerbot-clawaccount begins scanning GitHub for exploitable CI/CD workflows - March 19: Trivy (Aqua Security's vulnerability scanner) compromised. All 76 trivy-action tags hijacked. Credential stealer injected into every automated scan
- March 23: Checkmarx KICS GitHub Action compromised. All 35 tags overwritten. A new C2 domain (
checkmarx[.]zone) deployed - March 24: LiteLLM (popular LLM proxy library) compromised on PyPI. Malicious versions 1.82.7 and 1.82.8 published
- April 21: Malicious pgserve packages appear on npm with a self-propagating worm that jumps between npm and PyPI using stolen tokens
- April 22: Checkmarx KICS Docker images and VS Code extensions compromised (second Checkmarx attack). Bitwarden CLI compromised via the same GitHub Actions vector
The pattern is consistent: TeamPCP targets CI/CD pipelines at security companies, injects credential stealers into trusted packages, then uses the stolen tokens to propagate to downstream dependencies. Each compromised package becomes a vector for further compromise. Stolen npm tokens let the attackers publish malicious versions of every package the victim maintains.
I wrote about a similar supply chain failure at Lovable earlier this week, where a BOLA vulnerability exposed 8 million users' source code and database credentials. The common thread: the tools developers trust with their credentials are becoming the primary attack vector for stealing them.
What to do right now: 5 steps
Step 1: Check if you installed the compromised version
Run this in your terminal:
npm ls @bitwarden/cli 2>/dev/null | grep "2026.4.0"If it returns a match, you installed the compromised version. Also check your CI/CD pipeline configurations, GitHub Actions workflows, and any Docker images that include the Bitwarden CLI.
Step 2: Rotate all exposed credentials immediately
Assume everything accessible to the compromised environment has been exfiltrated:
- GitHub tokens: Revoke and regenerate at github.com/settings/tokens
- npm tokens: Revoke at npmjs.com/settings/tokens. If you publish npm packages, check that no unauthorized versions were released
- SSH keys: Generate new key pairs and update them everywhere (GitHub, servers, cloud providers)
- Cloud credentials: Rotate AWS access keys, Azure service principals, GCP service account keys
- .env secrets: Rotate every API key, database password, and service token referenced in your .env files
- Bitwarden API key: If your Bitwarden API key was stored in an environment variable, rotate it in your Bitwarden account settings
Step 3: Change your Bitwarden master password
If you used the Bitwarden CLI in any automated script that passed your master password as an argument or environment variable, change your master password now. Use our password generator to create a new one: 20+ characters, fully random. Then store the recovery information in a separate, encrypted location.
If you only use the Bitwarden browser extension or desktop app (not the CLI), your master password was not exposed through this specific attack.
Step 4: Audit for unauthorized access
- Check your GitHub account for repositories you didn't create (TeamPCP creates repos with the pattern
word-word-3digitswith "Checkmarx Configuration Storage" in the README) - Review your npm account for packages published without your authorization
- Search your network logs for outbound connections to suspicious domains
- Review GitHub Actions workflow run history for unexpected artifacts or workflow files
Step 5: Pin your dependencies
Stop installing packages by version range. Pin every dependency to an exact version and verify the integrity hash. For GitHub Actions, pin to specific commit SHAs instead of tags. Tags can be overwritten (as TeamPCP demonstrated with Trivy and Checkmarx). Commit SHAs cannot.
# Instead of this:
- uses: bitwarden/cli-action@v2
# Do this:
- uses: bitwarden/cli-action@a1b2c3d4e5f6 # pin to verified SHABitwarden's pricing just changed, too
This compromise lands at an awkward time for Bitwarden. The company recently raised its Premium pricing from $10/year to $48/year, a 380% increase. Its Families plan went from $40/year to $96/year. The free tier remains functional but increasingly limited. If you're reevaluating your password manager after this incident, our best password managers comparison covers the security architecture, pricing, and breach history of all seven major options.
Why supply chain attacks keep hitting password tools
This is the third major security event involving Bitwarden in 2026, following the ETH Zurich vault encryption research (12 demonstrated attacks) and now a build pipeline compromise. LastPass had its own breach cascade in 2022-2023 that's still generating lawsuits and settlements. Dashlane patched downgrade vulnerabilities after the same ETH Zurich research.
Password managers are high-value targets precisely because they aggregate credentials. A successful attack on a password manager's distribution pipeline reaches millions of users who have concentrated their entire credential portfolio in one tool. The TeamPCP campaign specifically targets security tools because compromising a security tool gives attackers access to every secret that tool was designed to protect.
When I analyzed 50,000 breached passwords, the finding that mattered most was that 73% followed predictable patterns. Supply chain attacks bypass password strength entirely. It doesn't matter if your password is 32 random characters when the tool that manages it ships a credential stealer in its build pipeline.
The defense is layered: use a password manager (the vault encryption still works), but don't store credentials in plaintext .env files, don't pass secrets as shell arguments, pin your dependencies to verified commits, and treat every package update as a potential attack vector until proven otherwise.
Test any passwords you're concerned about with our password strength checker, and generate replacements with our password generator for anything that needs rotation after this incident.
Your developer credentials need a vault that doesn't depend on a build pipeline
The Bitwarden CLI compromise exposed every credential on the system except the ones inside an encrypted vault. That's the argument for storing API keys, SSH passphrases, cloud tokens, and service credentials in a dedicated password manager, not in .env files, not in shell history, and not in CI/CD environment variables. NordPass offers zero-knowledge XChaCha20 encryption with no CLI package dependency in its consumer product.
Try NordPass FreeAffiliate link. We earn a small commission if you upgrade, at no cost to you.
Technical indicators (IOCs)
If you're running incident response on this compromise, these are the indicators to check against your logs and environments:
- Malicious package:
@bitwarden/cli@2026.4.0 - Payload file:
bw1.js(included in package contents) - Attack vector: Compromised GitHub Action in Bitwarden's CI/CD pipeline
- Campaign attribution: TeamPCP (same group behind Trivy, Checkmarx KICS, and LiteLLM compromises)
- Known C2 domains:
checkmarx[.]zone,scan.aquasecurtiy[.]org(note the typo, it's intentional by the attacker),audit.checkmarx[.]cx - Exfiltration method: Data sent to private domains and committed to attacker-controlled GitHub repositories
- Repo naming pattern: Attacker-created repos follow
word-word-3digitsformat with README text "Checkmarx Configuration Storage" - Related compromises: Checkmarx KICS Docker images (v2.1.20, v2.1.21, alpine, latest), VS Code extensions (cx-dev-assist v1.17.0/v1.19.0, ast-results v2.63.0/v2.66.0)
Sources: Socket security advisory, The Hacker News, Checkmarx KICS analysis.