"The most notable aspect of this package is that it combines a supply chain compromise of a legitimate CLI identity with a broad post-install secret theft framework. Instead of stopping at .npmrc or a single PAT, the malware systematically pivots across local credentials, CI secrets, GitHub repositories, and multiple cloud secret stores."
"The malicious package contained an altered execution path to run a malicious loader, download a Bun archive from GitHub, extract it, and execute the JavaScript payload."
The Bitwarden CLI NPM package was compromised in a supply chain attack, leading to the inclusion of malicious code in version 2026.4.0. This code fetches a JavaScript payload designed to steal credentials and secrets from victim machines. The malware targets secrets across multiple platforms, including Azure, AWS, and GitHub, and can create repositories in victims' accounts. Bitwarden confirmed the hack but stated that there was no evidence of end user vault data being accessed or at risk.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]