SECURITYWEEK reports that the Bitwarden CLI NPM package was compromised in a supply chain attack, with version 2026.4.0 containing a malicious loader that fetched a JavaScript payload to steal credentials and secrets from victim machines. The article notes the incident appears linked to a wider Checkmarx supply chain campaign, which Checkmarx confirmed on April 22 and which involved several artefacts and a pattern of credential harvesting.
Bitwarden itself confirmed the supply chain hack, stating there was no evidence that end user vault data or production systems were compromised. The malware’s activity included exfiltrating data via HTTPS and, if that path failed, switching to GitHub paths, with three collectors targeting secrets across Azure, AWS, GitHub, GCP and NPM, as well as SSH material and other files, according to JFrog.
The piece links the Bitwarden payload to the Shai-Hulud worm and notes the TeamPCP group claimed the Checkmarx attack, though it remains unclear whether the two campaigns are tightly connected, with references to Shai-Hulud’s prior spread across npm packages. The article also highlights Bitwarden’s popularity, noting the platform has over 250,000 monthly downloads.