Bitwarden hit by network compromise
Incident
Summary
Hide ▲
Show ▼
Bitwarden's @bitwarden/cli distribution channel was compromised when a malicious package briefly appeared on npm, putting developers who installed it at risk of credential theft. The release was live only for a short window on April 22, 2026 before removal. Bitwarden said vault data and production systems were not compromised.
Related Happenings
Easy-day-js Mastra package-publishing campaign
Campaign
H score30
First: 17.06.2026 10:38
Last: 17.06.2026 10:38
Sources 1
About this happening:
The **easy-day-js** campaign mass-published more than **140 malicious npm packages** across the **@mastra/*** namespace, creating broad supply-chain exposure for developers and bu...
Easy-day-js Mastra package-publishing campaign
CampaignAbout this happening: The **easy-day-js** campaign mass-published more than **140 malicious npm packages** across the **@mastra/*** namespace, creating broad supply-chain exposure for developers and bu...
Asteroiddao hit by network compromise
Incident
H score13
First: 04.06.2026 18:25
Last: 04.06.2026 18:25
Sources 1
About this happening:
**asteroiddao** suffered a compromised-account incident that let malicious npm package versions and repository commits seed a wider **supply-chain attack**. The account was used t...
Asteroiddao hit by network compromise
IncidentAbout this happening: **asteroiddao** suffered a compromised-account incident that let malicious npm package versions and repository commits seed a wider **supply-chain attack**. The account was used t...
Malware-Slop malicious npm file-theft campaign
Campaign
H score39
First: 27.05.2026 18:44
Last: 27.05.2026 18:44
Sources 1
About this happening:
**Malware-Slop** is distributing **mouse5212-super-formatter**, a malicious **npm** package that steals local files from **Anthropic's Claude** workspace directory **/mnt/user-dat...
Malware-Slop malicious npm file-theft campaign
CampaignAbout this happening: **Malware-Slop** is distributing **mouse5212-super-formatter**, a malicious **npm** package that steals local files from **Anthropic's Claude** workspace directory **/mnt/user-dat...
GitHub data exposed after GitHub breach
Data Leak
H score35
First: 20.05.2026 11:14
Last: 20.05.2026 11:14
Sources 1
About this happening:
GitHub confirmed **exfiltration** of **internal repositories**, making private code and related content potentially available to outsiders. Attackers on the **Breached cybercrime...
GitHub data exposed after GitHub breach
Data LeakAbout this happening: GitHub confirmed **exfiltration** of **internal repositories**, making private code and related content potentially available to outsiders. Attackers on the **Breached cybercrime...
GitHub hit by network compromise
Incident
H score42
First: 20.05.2026 07:01
Last: 20.05.2026 07:01
Sources 1
About this happening:
GitHub is investigating unauthorized access to its internal repositories after a third party allegedly offered stolen material for sale on a cybercrime forum. The intrusion was li...
GitHub hit by network compromise
IncidentAbout this happening: GitHub is investigating unauthorized access to its internal repositories after a third party allegedly offered stolen material for sale on a cybercrime forum. The intrusion was li...
Latest development: 20.05.2026 13:45
GitHub detected unauthorized access tied to a poisoned Visual Studio Code (VS Code) extension on an employee device, removed the malicious extension version, isolated the endpoint, and began incident response to contain exposure across internal repositories.
Timeline
-
23.04.2026 22:21 1 articles · 2mo ago
Malicious @bitwarden/cli release reaches npm
Exploitation ObservedAttackers published malicious @bitwarden/cli version 2026.4.0 to npm on April 22, 2026, apparently through a compromised GitHub Action in Bitwarden's CI/CD pipeline, and the package used bw_setup.js and bw1.js to load Bun and inject credential-stealing code into the CLI distribution.
Show sources
- Bitwarden CLI npm package compromised to steal developer credentials — www.bleepingcomputer.com — 23.04.2026 22:21
-
23.04.2026 22:21 2 articles · 2mo ago
Bitwarden confirms CLI npm compromise and analysts detail the payload
Technical Analysis UpdateBitwarden confirmed that the compromised npm distribution channel for the CLI package only affected users who downloaded the malicious version, revoked compromised access, deprecated the affected release, and said end user vault data and production systems were not compromised; Socket, JFrog, and OX Security said the payload used bw_setup.js and bw1.js to collect npm tokens, GitHub authentication tokens, SSH keys, and cloud credentials for AWS, Azure, and Google Cloud, encrypt the data with AES-256-GCM, and exfiltrate it through public GitHub repositories.
Show sources
- Bitwarden CLI npm package compromised to steal developer credentials — www.bleepingcomputer.com — 23.04.2026 22:21
- Bitwarden CLI npm package compromised to steal developer credentials — www.bleepingcomputer.com — 23.04.2026 22:21