Bitwarden CLI Hijacked in Supply Chain Attack — Crypto Wallets and Developer Credentials at Risk

tradelikepro

Attackers have compromised Bitwarden's CLI version 2026.4.0 through a hijacked GitHub Action, injecting a malicious npm package designed to steal sensitive data during installation. Security firm Socket discovered the breach on April 23, linking it to the ongoing TeamPCP supply chain campaign. The rogue package has since been pulled, but any developer or team that installed the compromised version during that window may already be affected.

The malicious payload, embedded in a file called bw1.js, targeted a wide range of high-value credentials including GitHub and npm tokens, SSH keys, environment variables, shell history, and cloud credentials. TeamPCP's broader campaign is separately confirmed to go after crypto wallet data, including files associated with MetaMask, Phantom, and Solana wallets. Stolen data was exfiltrated to attacker-controlled domains and committed back to GitHub repositories as a persistence mechanism.

The breach is particularly serious for crypto teams, as many use the Bitwarden CLI in automated CI/CD pipelines for secrets injection and deployments. Any workflows that ran version 2026.4.0 may have exposed wallet keys and exchange API credentials. Security researcher Adnan Khan noted this is the first known compromise of a package using npm's trusted publishing mechanism — a system specifically designed to eliminate long-lived tokens.

madtrader

"rotate every exposed secret without delay" printed this out and taped it above my monitor. it has been there since the last supply chain incident. it will stay there.