SlowMist CISO: Bitwarden CLI Hit by Supply Chain Attack; Malicious Package Circulated Briefly for ~1.5 Hours

SlowMist CISO 23pds (@im23pds) disclosed that the Bitwarden CLI version 2026.4.0 was subjected to a Checkmarx supply-chain attack between 17:57 and 19:30 ET on April 22. During this window, attackers abused a GitHub Action within Bitwarden’s CI/CD pipeline to briefly distribute a malicious package via npm. The official statement confirmed that Vault data was not compromised and production systems remained unaffected; only users who installed this specific version via npm during the aforementioned time window were impacted. Affected users are advised to immediately uninstall version 2026.4.0, clear their npm cache, rotate sensitive credentials—including API tokens and SSH keys—investigate anomalous activity in GitHub and CI environments, and upgrade to the patched version 2026.4.1.