Password manager Bitwarden suffers supply chain attack; users of the npm package should check their device.
Socket, a company specializing in open-source software security, has announced that its password manager, Bitwarden, was subjected to a supply chain attack.
Bitwarden CLI Compromised in Ongoing Checkmarx Supply Chain...
Bitwarden is an open-source password manager used by over 10 million users and more than 50,000 companies, giving it one of the top three market shares in terms of corporate adoption.
According to a research team at Socket, malicious code was infiltrated through GitHub Actions into a CI/CD pipeline configured in Bitwarden. The affected package version is ' @bitwarden/cli2026.4.0 ', and the package manager npm has already stopped distributing the package.
The affected tool in this instance is 'Bitwarden CLI,' a tool for running Bitwarden from the command line. As of the time of writing, Bitwarden's Chrome extension, MCP server, desktop application, and web application are reportedly unaffected.
The research team recommended that Bitwarden CLI users 'check their CI logs,' 'change their secrets,' 'check GitHub for any unauthorized repositories,' 'check for any suspicious GitHub workflows,' and 'audit npm.'
Furthermore, as measures to mitigate the long-term impact of supply chain attacks, we recommend 'strictly managing the scope of tokens,' 'shortening the expiration date of authentication credentials as much as possible,' 'restricting which users can create and publish packages,' and 'monitoring new public repositories and workflow changes created outside of the normal release process.'
The research team's analysis indicates that the attack on Bitwarden has a similar structure to a previous supply chain attack on Checkmarx , sharing characteristics such as being designed not to work in Russian-language environments. However, because the behavior is different, they suspect that the attack was carried out by a different entity or splinter group sharing the same infrastructure.
Related Posts:
