Summary
A hijacked version of the @bitwarden/cli npm package (v2026.4.0) was used in a supply chain attack to steal developer credentials, cloud secrets, and AI configuration files. The malware employs multiple data exfiltration techniques, including the abuse of GitHub commits and repositories for data transport and fallback routing.
Take Action:
If you use @bitwarden/cli, this is urgent! Check your version, if it's 2026.4.0, assume all credentials on that machine (GitHub tokens, npm tokens, AWS/GCP/Azure keys, SSH keys, .env files) are stolen and must be rotated immediately.
Uninstall the package, clean the npm cache, downgrade to 2026.3.0 or use Bitwarden's official signed binaries, block the domain audit.checkmarx.cx at your network egress, and audit your GitHub account for any unauthorized repositories or workflow changes.
Read the full article on BeyondMachines
This article was originally published on BeyondMachines
Top comments (0)