The Bitwarden security team identified and contained a malicious package that was briefly distributed through the npm delivery path for @bitwarden/cli@2026.4.0 between 5:57 PM and 7:30 PM (ET) on April 22, 2026, in connection with a broader Checkmarx supply chain incident. Was I affected? If you use the Bitwarden command line interface and deploy using NPM, and downloaded the CLI between 5:57p ET and 7:30p ET on April 22, 2026, you may be affected. See remediation steps below. If you do not u...
The write up is disingenuous, or confusing at best. It highight early on “no evidence that end user vault data was accessed or at risk”.
Then further down recommends to “Rotate any secrets that may have been exposed…” and “Review GitHub activity, CI workflows, and related credentials for unauthorized access or changes”.
How could they even find evidence of end user data and vault being accessed? The CLI compromises affects end user systems, which they have no visibility into.
The worst is saying there’s no evidence of risk, while making recommendations based on the assumption all data and secrets on affected systems may be compromised. That’s a good assumption because there’s definitely a risk.
It’s because the malicious package is not targeting but warden creds. Here is a write up of what it does. https://research.jfrog.com/post/bitwarden-cli-hijack/#infection-vector-assessment
Operationally, the infection flow is simple: