Malicious Bitwarden CLI npm release steals cloud and GitHub secrets
TL;DR - @bitwarden/[email protected] modified its execution path to run an attacker-controlled loader that downloaded Bun, then executed a JavaScript payload harvesting AWS, Azure, GCP, GitHub, and npm credentials, SSH keys, shell history, and AI tooling config. The payload then weaponised stolen GitHub tokens to create repos, branches, and workflow files via Actions - using your own CI infrastructure to extract further secrets.
What happened
@bitwarden/cli is Bitwarden's command-line client, widely used by developers and in CI pipelines for programmatic vault access. Version 2026.4.0 on npm was compromised: its execution path was modified to run a malicious loader, which downloaded a Bun archive from GitHub, extracted it, and ran a JavaScript payload.
JFrog's analysis (referenced by SecurityWeek) details what the payload collected: secrets and tokens from AWS, Azure, GCP, GitHub, and npm, plus SSH material, shell history, and configuration files for AI tooling and MCP-related integrations. From there, the payload used any harvested GitHub tokens to create repositories, branches, commits, and workflow files - abusing GitHub Actions to exfiltrate further secrets through build artefacts.
Bitwarden confirmed it found no evidence that end-user vault data was accessed or that production systems were compromised.
This is the supply-chain failure mode that keeps repeating: a short-lived malicious release turns a routine npm install in CI into broad credential theft, then uses the developer platforms you depend on for builds and releases to propagate further.
Who is impacted
- Any developer or team that installed
@bitwarden/[email protected]from npm. - Highest-risk environments are CI runners and build hosts where the package ran with access to
GITHUB_TOKEN, PATs, cloud credentials, SSH keys, or other deployment secrets.
| Item | Detail |
|---|---|
| Affected artifact | @bitwarden/cli (npm) |
| Malicious version | 2026.4.0 |
| Payload behaviour | Loader downloads Bun, executes credential-stealing JavaScript, pivots via GitHub tokens and Actions |
| Confirmed vault/production impact | None per Bitwarden |
What to do now
- Uninstall the malicious version immediately per Bitwarden's incident statement:
"Immediately uninstall Bitwarden CLI 2026.4.0 via npm"
- If you may have been affected, treat this as a confirmed secrets-exposure event:
- Uninstall the CLI:
npm uninstall -g @bitwarden/cli - Clear the npm cache:
npm cache clean --force - Disable install scripts temporarily during cleanup:
npm config set ignore-scripts true - Rotate every secret that was present on the affected system or stored in environment variables - API tokens and SSH keys were explicitly targeted
- Review GitHub Activity, CI workflow runs, and any associated credentials for unauthorised changes or unexpected repository/branch creation
- Uninstall the CLI:
- Review JFrog's indicators and cleanup steps, which SecurityWeek identifies as the primary technical breakdown.
- Reinstall from a known-good release. Bitwarden directs affected users to
@bitwarden/[email protected].
Related
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.