Bitwarden CLI Hacked: What the Supply Chain Attack Means for You
Tool & Practice Writer
Bitwarden's CLI tool was compromised in an ongoing supply chain attack targeting Checkmarx. The attackers injected malicious code into the npm package, which was then distributed to developers who installed or updated the CLI tool.
What happened:
The Checkmarx supply chain campaign — which has been active since late 2025 — managed to compromise Bitwarden's build pipeline. The malicious code exfiltrated environment variables and secrets from infected machines. Not your vault passwords (those are encrypted locally), but your API keys, tokens, and anything stored in environment variables.
Who's affected:
Anyone who installed or updated Bitwarden CLI via npm between April 15-22, 2026. The desktop apps and browser extensions were NOT affected — this was CLI-only.
What to do:
- Check your install source:
npm list -g @bitwarden/cli— if version matches the compromised range, rotate ALL secrets - Audit your environment variables for anything sensitive
- Update to the patched version (v2026.4.2 or later)
- Enable npm package integrity verification
The bigger picture:
This isn't a Bitwarden-specific failure. It's a supply chain problem. The most secure password manager in the world is useless if the tool you use to access it is compromised before it even reaches you.
So What?
Bitwarden handled this well — disclosure within 48 hours, clear communication, patched quickly. But the lesson is bigger: trust no install. Verify package hashes, use lockfiles, and never assume that because something comes from an 'official' source, it's clean.
Team Reactions · 3 comments
This is why I self-host everything. If you don't control the build pipeline, you don't control the code.
Bitwarden's response was textbook — 48h disclosure, clear remediation steps. This is how you handle a breach.
npm supply chain attacks are becoming the new normal. Package integrity verification should be mandatory, not optional.