Bitwarden, an open-source password management service, confirmed its command-line client was briefly affected by a supply-chain compromise involving the npm package for CLI 2026.4.0.
The security team identified and contained a malicious package distributed via npm for @bitwarden/cli@2026.4.0 between 5:57 PM and 7:30 PM ET on April 22, 2026. This incident was part of a broader Checkmarx supply-chain campaign targeting software publishing workflows.
Bitwarden states the issue was limited to the npm distribution mechanism for the CLI during that timeframe and did not impact the official CLI codebase or stored vault data. The company found no evidence of end-user vault data access or compromise of production systems or data.
“The investigation found no evidence that end user vault data was accessed or at risk, or that production data or production systems were compromised. Once the issue was detected, compromised access was revoked, the malicious npm release was deprecated, and remediation steps were initiated immediately.”
The compromised package was available for less than two hours and only affects users who installed Bitwarden CLI 2026.4.0 via npm during that period. Bitwarden confirms that users of the browser extension, desktop app, mobile app, server, or Snap package are not impacted.
Security researchers at Socket reported that the malicious payload was contained in a file named bw1.js within the npm package. Their analysis connects this package to broader supply-chain activity involving compromised GitHub Actions workflows and credential-stealing malware.
Importantly, the payload was intended to collect developer and infrastructure secrets, not Bitwarden vault contents. According to Socket, it targeted GitHub tokens, npm tokens, SSH keys, cloud credentials, .npmrc files, environment variables, shell history, Git credentials, and CI/CD secrets. It also checked for persistence through shell profile files such as .bashrc and .zshrc.
Bitwarden has deprecated the malicious npm release, revoked compromised access, and released Bitwarden CLI 2026.4.1.
Users who installed the affected npm package should uninstall it, clear the npm cache, temporarily disable npm install scripts during cleanup, rotate any potentially exposed credentials, and review GitHub activity, CI workflows, and related credentials for unauthorized changes.
