Bitwarden CLI — npm supply-chain compromise (downstream of Checkmarx)

On 22 April 2026, a malicious version 2026.4.0 of the npm package @bitwarden/cli was published to the npm registry and remained available for approximately 90 minutes — between 5:57pm and 7:30pm Eastern Time — before being pulled. Bitwarden estimates roughly 334 downloads of the trojanised package took place in that window. The CLI source code itself was not modified; the malicious payload was injected into the npm packaging step.

The root cause sits one layer up the supply chain. Bitwarden’s GitHub-hosted CI/CD workflow used checkmarx/ast-github-action, which had been compromised on 23 March 2026 in the broader TeamPCP supply-chain campaign that also affected Checkmarx’s KICS plugin and other artifacts. The compromised Action was the entry point that allowed the attacker to alter the npm publication step without touching Bitwarden’s source repository or any vault infrastructure. End-user vault data was not affected, according to Bitwarden’s statement.

The malicious payload itself was a multi-collector designed to harvest CI secrets — Azure, AWS, GitHub, GCP and npm tokens, plus SSH material, shell history, and AI-tooling configuration including MCP-related files. Exfiltration was via public GitHub repositories created in victims’ namespaces, the same propagation mechanism used in earlier Shai-Hulud worm campaigns. Bitwarden re-released the CLI as version 2026.4.1, which is functionally a re-publication of the unaffected 2026.3.0.

A deep-dive will follow once the full Trivy → Checkmarx → Bitwarden chain is documented end-to-end and the downstream impact across the 334 affected installations becomes publicly known.