ZCyberNews
中文
Threat IntelCritical2 min read

Bitwarden CLI npm Package Hijacked to Steal Developer Credentials

Attackers published a malicious @bitwarden/cli npm package that steals credentials and spreads to other projects.

Bitwarden CLI npm Package Hijacked to Steal Developer Credentials

Executive Summary

Bitwarden's official CLI package on the npm registry was briefly compromised on April 22, 2026, after attackers published a malicious version of @bitwarden/cli designed to steal developer credentials and propagate to other projects. The rogue package was live for several hours before Bitwarden revoked it. The incident underscores the persistent risk of supply-chain attacks targeting the npm ecosystem, particularly against widely used developer tools.

Technical Analysis

According to BleepingComputer, the malicious @bitwarden/cli package contained a credential-stealing payload that targeted environment variables, configuration files, and stored tokens. The malware was capable of exfiltrating credentials and spreading to other projects on the same system, amplifying the potential blast radius. The package was published under the same name as the legitimate Bitwarden CLI, making it difficult for developers to distinguish the rogue version without verifying checksums or package signatures.

Bitwarden confirmed the compromise and revoked the malicious package after detection. The company has not disclosed the exact method by which the attackers gained access to the npm publishing credentials, nor the specific version number of the compromised release. The incident follows a pattern of supply-chain attacks targeting npm packages, including the recent Checkmarx KICS compromise that affected Docker images and VS Code extensions.

Mitigations & Recommendations

Developers who installed or updated the @bitwarden/cli package between April 22 and the time of revocation should immediately rotate all credentials stored in the affected environment, including API keys, SSH keys, and cloud provider tokens. Teams should audit npm package integrity by comparing checksums against Bitwarden's official release signatures. Organizations should implement npm package pinning, use integrity verification (e.g., npm audit with --audit-level=critical), and restrict automated CI/CD pipeline updates to trusted registries. Bitwarden recommends using the official GitHub releases or verifying package hashes before installation.

Stay Updated

Get the latest cybersecurity news delivered to your inbox.

Related Articles

TeamPCP Hijacks TanStack CI/CD, Poisons 170+ NPM/PyPI PackagesCRITICAL
Threat Intel

TeamPCP Hijacks TanStack CI/CD, Poisons 170+ NPM/PyPI Packages

TeamPCP chained three GitHub Actions flaws to hijack TanStack's CI/CD, publishing 84 malicious artifacts across 42 packages.

4 min readTeamPCP
Vietnamese Phishers Hijack 30K Facebook Accounts via Google AppSheetHIGH
Threat Intel

Vietnamese Phishers Hijack 30K Facebook Accounts via Google AppSheet

Guardio tracks AccountDumpling campaign using Google AppSheet as phishing relay to steal 30,000 Facebook accounts, resold via illicit storefront.

2 min readAccountDumpling
AI Browser Extensions Steal Emails, Passwords via Prompt InjectionHIGH
Threat Intel

AI Browser Extensions Steal Emails, Passwords via Prompt Injection

Unit 42 finds 30+ malicious AI browser extensions exfiltrating email content, credentials, and API keys via prompt injection and DOM scraping. Affects Chrome, Edge users.

3 min read