On April 22, for roughly 90 minutes, a malicious version of Bitwarden CLI appeared on npm. Version 2026.4.0 contained a credential-stealing payload that executed an obfuscated loader and harvested AWS, Azure, GCP, GitHub, and npm tokens from any developer machine that ran npm install. The attackers reached Bitwarden’s npm publishing path through a compromised GitHub Action related to the Checkmarx supply chain incident that affected several other downstream consumers that week.
About nine days later, CVE-2026-42994 was issued by Bitwarden for the trojanized version. Defenders running a software composition analysis tool began seeing it on their dashboard. Detection engineers started writing ...