Bitwarden hit by network compromise
Incident
Summary
Hide ▲
Show ▼
Bitwarden's @bitwarden/cli distribution channel was compromised when a malicious package briefly appeared on npm, putting developers who installed it at risk of credential theft. The release was live only for a short window on April 22, 2026 before removal. Bitwarden said vault data and production systems were not compromised.
Related Happenings
GitHub data exposed after GitHub breach
Data Leak
First: 20.05.2026 11:14
Last: 20.05.2026 11:14
Sources 1
About this happening:
GitHub confirmed **exfiltration** of **internal repositories**, making private code and related content potentially available to outsiders. Attackers on the **Breached cybercrime...
GitHub data exposed after GitHub breach
Data LeakAbout this happening: GitHub confirmed **exfiltration** of **internal repositories**, making private code and related content potentially available to outsiders. Attackers on the **Breached cybercrime...
GitHub hit by network compromise
Incident
First: 20.05.2026 07:01
Last: 20.05.2026 07:01
Sources 1
About this happening:
GitHub is investigating unauthorized access to its internal repositories after a third party allegedly offered stolen material for sale on a cybercrime forum. The intrusion was li...
GitHub hit by network compromise
IncidentAbout this happening: GitHub is investigating unauthorized access to its internal repositories after a third party allegedly offered stolen material for sale on a cybercrime forum. The intrusion was li...
Latest development: 20.05.2026 13:45
GitHub detected unauthorized access tied to a poisoned Visual Studio Code (VS Code) extension on an employee device, removed the malicious extension version, isolated the endpoint, and began incident response to contain exposure across internal repositories.
Inactive maintainer account 'atiertant' hit by network compromise
Incident
First: 15.05.2026 20:10
Last: 15.05.2026 20:10
Sources 1
About this happening:
The **inactive maintainer account 'atiertant'** for **node-ipc** was **compromised**, enabling malicious package releases that could steal credentials from downstream installation...
Inactive maintainer account 'atiertant' hit by network compromise
IncidentAbout this happening: The **inactive maintainer account 'atiertant'** for **node-ipc** was **compromised**, enabling malicious package releases that could steal credentials from downstream installation...
TanStack hit by network compromise
Incident
First: 12.05.2026 17:45
Last: 12.05.2026 17:45
Sources 1
About this happening:
**TanStack** was hit by a **package compromise** on **May 11, 2026**, when attackers published **84 malicious versions** across **42 @tanstack/* packages** and abused the release...
TanStack hit by network compromise
IncidentAbout this happening: **TanStack** was hit by a **package compromise** on **May 11, 2026**, when attackers published **84 malicious versions** across **42 @tanstack/* packages** and abused the release...
Latest development: 21.05.2026 11:00
On May 17, 2026, Grafana Labs said an unauthorized attacker had downloaded its codebase after accessing the firm's GitHub environment, and the company later said additional internal operational information and business contact names and email addresses were taken from its GitHub repositories; Grafana Labs said there was no indication that customer production systems or the Grafana Cloud platform were compromised.
Lightning PyPI router_runtime.js credential-stealing payload
Malware Activity
First: 30.04.2026 19:31
Last: 30.04.2026 19:31
Sources 1
About this happening:
The **Lightning** PyPI package was pushed in **malicious versions 2.6.2 and 2.6.3** on **April 30, 2026**, turning a normal install into **credential theft** for **developer and C...
Lightning PyPI router_runtime.js credential-stealing payload
Malware ActivityAbout this happening: The **Lightning** PyPI package was pushed in **malicious versions 2.6.2 and 2.6.3** on **April 30, 2026**, turning a normal install into **credential theft** for **developer and C...
Latest development: 04.05.2026 20:15
Microsoft Threat Intelligence says Defender detected and prevented the malicious `lightning==2.6.3` routine in customer environments, notified the Lightning maintainer, and warned that users who ran `import lightning` may need to rotate exposed secrets, keys, and tokens.
Timeline
-
23.04.2026 22:21 1 articles · 1mo ago
Malicious @bitwarden/cli release reaches npm
Exploitation ObservedAttackers published malicious @bitwarden/cli version 2026.4.0 to npm on April 22, 2026, apparently through a compromised GitHub Action in Bitwarden's CI/CD pipeline, and the package used bw_setup.js and bw1.js to load Bun and inject credential-stealing code into the CLI distribution.
Show sources
- Bitwarden CLI npm package compromised to steal developer credentials — www.bleepingcomputer.com — 23.04.2026 22:21
-
23.04.2026 22:21 2 articles · 1mo ago
Bitwarden confirms CLI npm compromise and analysts detail the payload
Technical Analysis UpdateBitwarden confirmed that the compromised npm distribution channel for the CLI package only affected users who downloaded the malicious version, revoked compromised access, deprecated the affected release, and said end user vault data and production systems were not compromised; Socket, JFrog, and OX Security said the payload used bw_setup.js and bw1.js to collect npm tokens, GitHub authentication tokens, SSH keys, and cloud credentials for AWS, Azure, and Google Cloud, encrypt the data with AES-256-GCM, and exfiltrate it through public GitHub repositories.
Show sources
- Bitwarden CLI npm package compromised to steal developer credentials — www.bleepingcomputer.com — 23.04.2026 22:21
- Bitwarden CLI npm package compromised to steal developer credentials — www.bleepingcomputer.com — 23.04.2026 22:21