OPEN LINK ↗
// 45d agoSECURITY INCIDENT
Bitwarden CLI hit in Checkmarx campaign
Socket says attackers slipped malicious code into the npm release of @bitwarden/cli@2026.4.0 after abusing Bitwarden’s CI/CD pipeline in the wider Checkmarx supply chain campaign. Bitwarden says the bad package was available only between 5:57 PM and 7:30 PM ET on April 22, 2026, and that it found no evidence of vault or production-system compromise.
// ANALYSIS
This is the nightmare version of software supply chain risk: the codebase can stay clean while the publish path gets poisoned. The real lesson for developers is that CI/CD and package-release controls are now part of the product surface, not just internal plumbing.
- –The compromise appears limited to the npm distribution path for the CLI, not Bitwarden’s browser extension, desktop apps, or stored vault data.
- –Socket’s analysis says the payload stole tokens, cloud creds, SSH material, and other secrets, making this a broader workstation and CI exposure issue than a simple package typo-squat.
- –Because the affected artifact was an official package version, trust signals like correct naming, repo metadata, and normal install commands were not enough to protect users.
- –This reinforces a growing pattern in OSS attacks: attackers target GitHub Actions, release automation, and publish permissions because they can bypass normal code review entirely.
- –Teams using Bitwarden CLI should verify whether `@bitwarden/cli@2026.4.0` was pulled from npm during the affected window, rotate exposed secrets, and audit runners and developer machines for follow-on abuse.
// TAGS
bitwarden-clibitwardenclidevtoolopen-sourcesafety
DISCOVERED
45d ago
2026-04-23
PUBLISHED
45d ago
2026-04-23
RELEVANCE
6/ 10
AUTHOR
tosh
