Bitwarden CLI npm Package Briefly Compromised in Supply Chain Attack

Bitwarden recently disclosed that a malicious package was briefly distributed via the npm delivery path for @bitwarden/cli@2026.4.0. This incident, which Cyber News - Erez Dasa highlighted, occurred between 5:57 PM and 7:30 PM ET on April 22, 2026, and is linked to a broader Checkmarx supply chain event. The compromise was limited to the npm distribution mechanism for the CLI, not the core Bitwarden CLI codebase or vault data integrity.

Bitwarden’s investigation found no evidence that end-user vault data was accessed or put at risk, nor were production systems or data compromised. The issue was detected quickly, leading to the immediate revocation of compromised access, deprecation of the malicious npm release, and initiation of remediation steps. Users who did not download the package from npm during that specific window were unaffected. Bitwarden has since reviewed its internal environments and release paths, confirming no other products or systems were impacted.

This incident underscores the persistent threat of supply chain attacks targeting package managers like npm. While Bitwarden’s response was swift and seemingly effective in containing the damage, it’s a stark reminder that even well-secured vendors can fall victim to upstream compromises. Defenders need to recognize that their attack surface extends far beyond their own code, reaching deep into third-party dependencies and build pipelines.