ACCORDING to Bitwarden, the incident was caused by a compromised npm distribution path in the Checkmarx supply chain campaign, briefly exposing the malicious @bitwarden/cli package version 2026.4.0 between 5:57 PM and 7:30 PM (ET) on 22 April 2026.
The compromised package introduced a preinstall hook that triggers during npm install and runs bw_setup.js to fetch the Bun runtime, followed by a second stage, bw1[.]js, a 10 MB obfuscated payload that functions as a credential harvester and self-propagating supply chain worm. The attackers used stolen GitHub tokens to add malicious workflows and exploited stolen npm credentials to publish infected versions, spreading malware downstream; researchers note the Bitwarden CLI was likely released via this workflow.
The malware targets developer tools and cloud credentials, scans for high‑value files including SSH keys, cloud secrets, and credentials, and exfiltrates data to a private domain and via GitHub commits, with some data recovered by encrypted exfiltration. Bitwarden says there is no evidence end‑user vault data or production systems were compromised, and a CVE is being issued for Bitwarden CLI 2026.4.0.