Bitwarden CLI was compromised as part of an ongoing Checkmarx-related supply chain attack

Bitwarden's command-line interface (CLI) npm package was recently compromised through a Checkmarx-linked supply chain attack. Security researchers at Socket found that the npm package @bitwarden/cli2026.4.0 included malicious code within the file bw1.js, distributed as part of the legitimate package. The intrusion exploited a compromised GitHub Action in Bitwarden’s continuous integration and deployment system, paralleling techniques used against other repositories affected in the campaign.

Following the discovery, Bitwarden's security team swiftly identified and contained the malicious package, revoked compromised access, and deprecated the affected release on npm. At this time, investigations found no evidence that user vault contents, production data, or production systems were accessed or at risk. Only the npm package for the CLI tool was impacted; the Chrome extension, MCP server, and other authentic Bitwarden distributions remain unaffected.

It's recommended that users review their CI logs and rotate any secrets that may have been exposed through the compromised workflow. Users who did not download or update the npm package during the compromised window are not affected. After a comprehensive review of internal environments and related systems, no additional affected products or environments have been identified by the Bitwarden security team.