BITWARDEN’S official CLI package was compromised as part of the Checkmarx supply chain campaign, with the affected release identified as @bitwarden/cli@2026.4.0 and the malicious code hiding in a file named bw1[.]js. The attack exploited a compromised GitHub Action in Bitwarden’s CI/CD pipeline, a pattern seen in other repositories tied to the same campaign, according to JFrog.
The rogue npm package reportedly stole tokens, secrets and credentials from GitHub, npm, SSH and environment files, exfiltrating data to private domains and even GitHub commits, Socket noted in its findings. It is believed the threat actor behind the latest activity is TeamPCP, though their X account has since been suspended; OX Security has linked the incident to the “Shai-Hulud: The Third Coming” stage of the broader campaign.
Bitwarden stated that the incident was contained, no end-user vault data was accessed, and a CVE is being issued for version 2026.4.0. The window during which the malicious release circulated via npm was between 5:57 PM and 7:30 PM (ET) on 22 April 2026.