Bitwarden CLI hit in Checkmarx campaign

This is the nightmare version of software supply chain risk: the codebase can stay clean while the publish path gets poisoned. The real lesson for developers is that CI/CD and package-release controls are now part of the product surface, not just internal plumbing.

• –The compromise appears limited to the npm distribution path for the CLI, not Bitwarden’s browser extension, desktop apps, or stored vault data.
• –Socket’s analysis says the payload stole tokens, cloud creds, SSH material, and other secrets, making this a broader workstation and CI exposure issue than a simple package typo-squat.
• –Because the affected artifact was an official package version, trust signals like correct naming, repo metadata, and normal install commands were not enough to protect users.
• –This reinforces a growing pattern in OSS attacks: attackers target GitHub Actions, release automation, and publish permissions because they can bypass normal code review entirely.
• –Teams using Bitwarden CLI should verify whether `@bitwarden/cli@2026.4.0` was pulled from npm during the affected window, rotate exposed secrets, and audit runners and developer machines for follow-on abuse.