Earn up to 50% APR
Boost earnings with NFTs
Play, HODL & earn more
Bitwarden CLI Attack: What You Need to Do Right Now
-
If your team uses Bitwarden's CLI for secrets management in automated pipelines, immediate action is required. Socket recommends that anyone who installed @bitwarden/cli version 2026.4.0 rotate every exposed secret without delay. Users should downgrade to version 2026.3.0 or switch to official signed binaries available directly from Bitwarden's website. It is worth emphasizing that Bitwarden's core vault remains unaffected — only the CLI build process was compromised.This attack is part of a broader and ongoing campaign by the threat actor known as TeamPCP, which has chained similar supply chain attacks against developer tools including Trivy, Checkmarx, and LiteLLM since March 2026. The group specifically targets tools that sit deep in build pipelines, making the potential blast radius of each compromise significant. The fact that this is the first known attack to abuse npm's trusted publishing mechanism raises the stakes further, as it undermines a security layer many teams rely on.
For crypto teams in particular, the risk is acute. Wallet files, exchange API keys, and deployment secrets are all within scope of what this malware was built to steal. Audit your CI/CD pipeline logs, check which version of the Bitwarden CLI was used in recent runs, and treat any exposed credentials as fully compromised until rotated.
-
Abusing npm's trusted publishing mechanism is the most alarming technical detail here — that system was specifically architected to remove long-lived tokens as an attack surface. If TeamPCP found a way around it, every package using that mechanism needs a trust model review right now.
