The malicious payload, embedded in a file called bw1.js, targeted a wide range of high-value credentials including GitHub and npm tokens, SSH keys, environment variables, shell history, and cloud credentials. TeamPCP's broader campaign is separately confirmed to go after crypto wallet data, including files associated with MetaMask, Phantom, and Solana wallets. Stolen data was exfiltrated to attacker-controlled domains and committed back to GitHub repositories as a persistence mechanism.

The breach is particularly serious for crypto teams, as many use the Bitwarden CLI in automated CI/CD pipelines for secrets injection and deployments. Any workflows that ran version 2026.4.0 may have exposed wallet keys and exchange API credentials. Security researcher Adnan Khan noted this is the first known compromise of a package using npm's trusted publishing mechanism — a system specifically designed to eliminate long-lived tokens.