Bitwarden CLI malicious npm package exposed, encrypted wallets face risk of theft

Misty’s Chief Information Security Officer 23pds forwards a Bitwarden security team warning. The Bitwarden CLI version 2026.4.0 that had been distributing malicious packages via npm within a 1.5-hour window from 5:57 to 7:30 p.m. Eastern Time on April 22 has been withdrawn. Bitwarden has officially confirmed that the password vault data and production systems were not affected.

Attack Details: Targeted Theft via bw1.js Malicious Payload

The malicious payload runs silently during npm package installation and collects the following types of data:

· GitHub and npm tokens

· SSH keys

· Environment variables

· Shell history

· Cloud credentials

· Encrypted wallet files (including MetaMask, Phantom, and Solana wallets)

The stolen data is exfiltrated to attacker-controlled domains and submitted to GitHub repositories via a persistence mechanism. Many cryptocurrency teams use the Bitwarden CLI in CI/CD automation workflows for key injection and deployment. Any workflow that ran an infiltrated version could leak high-value wallet private keys and exchange API credentials.

Emergency Response Steps for Affected Users

Only users who installed the 2026.4.0 version via npm within the April 22, 5:57 to 7:30 p.m. Eastern Time window need to take the following actions: immediately uninstall the 2026.4.0 version; clear the npm cache; rotate all sensitive credentials such as API tokens and SSH keys; check for abnormal activity in GitHub and CI/CD workflows; upgrade to the fixed 2026.4.1 version (or downgrade to 2026.3.0, or download the officially signed binary from the Bitwarden official website).

Attack Background: npm Trusted Publish Mechanism First Exploited

Security researcher Adnan Khan points out that this attack is a known first case of the npm trusted publish mechanism being used to compromise software packages. This attack is related to TeamPCP’s supply-chain attack activities. Since March 2026, TeamPCP has launched similar attacks against security tools Trivy, the code security platform Checkmarx, and the AI tool LiteLLM, aiming to embed developer tools within CI/CD build processes.

Frequently Asked Questions

How can I check whether I installed the affected 2026.4.0 version?

Run npm list -g @bitwarden/cli to see the installed version. If it shows 2026.4.0 and the installation time falls between 5:57 and 7:30 p.m. Eastern Time on April 22, you need to take immediate action. Even if you’re unsure of the installation time, it’s recommended to proactively rotate all related credentials.

Was Bitwarden vault data leaked?

No. Bitwarden has officially confirmed that user password vault data and production systems were not compromised. This attack only affected the CLI build process. The attack targets developer credentials and encrypted wallet files, not the Bitwarden platform’s user password database.

What is the broader context of TeamPCP supply-chain attack activities?

Since March 2026, TeamPCP has launched a series of supply-chain attacks targeting developer tools. Affected targets include Trivy, Checkmarx, and LiteLLM. The attack on the Bitwarden CLI is part of the same series of activities, aiming to steal high-value credentials in automated pipelines by embedding developer tools within CI/CD build processes.