Bitwarden CLI npm package compromised in supply chain attack

The official @bitwarden/cli npm package was compromised on April 22, 2026, distributing a malicious version (2026.4.0) for approximately 90 minutes. The malware harvested npm tokens, GitHub credentials, SSH keys, and cloud platform secrets, exfiltrating encrypted data to attacker-controlled GitHub repositories. Bitwarden confirmed the breach was linked to the broader Checkmarx supply chain attack and stated no user vault data was compromised. The malware also featured self-propagation capabilities, using stolen npm credentials to inject malicious code into additional packages, with security researchers identifying infrastructure overlaps with previous TeamPCP campaigns.