A malicious version of Bitwarden’s command-line tool briefly turned a trusted developer utility into a credential-stealing supply chain weapon, exposing how quickly attacks on software pipelines are moving toward AI-era credentials.
The company Bitwarden CLI said the compromised npm package, @bitwarden/cli@2026.4.0, was available between 5:57 p.m. and 7:30 p.m. ET on April 22 before the company contained it.
Bitwarden said there is no evidence that end-user vault data, production data or production systems were compromised, and that users who did not install the npm package during that window were not affected.
Bitwarden has since released @bitwarden/cli version 2026.4.1. The version is a clean re-publish of prior safe version (effectively 2026.3.0).
Supply Chain Chameleon
Researchers at Socket and Aikido said the payload behaved like a self-propagating npm worm tied to the broader Checkmarx supply chain incident. It harvested GitHub, npm, SSH and cloud credentials, then attempted to spread by abusing npm publishing rights and GitHub Actions workflows.
Aikido said the malware searched for Claude and Kiro MCP configuration files, while Palo Alto Networks said the package targeted “AI/MCP configurations.” Those files can contain tokens, API keys or connection details used by AI coding tools and agent workflows. That makes the incident less a vault breach than a warning about non-human identity sprawl in developer environments.
The Bitwarden incident followed a separate Checkmarx supply chain compromise involving KICS Docker images, VS Code/OpenVSX extensions and GitHub Actions assets. Checkmarx confirmed an active supply chain incident on April 22, while Docker said it quarantined malicious Checkmarx KICS images after detecting suspicious provenance.
Image by Vilius Kukanauskas from Pixabay
