Find notable cyber news and cases, enriched with sources, timelines, and signals.

Bitwarden hit by network compromise

Incident
First reported
Last updated
Happening score
H score 34
1 unique sources, 1 articles

Summary

Hide ▲

Bitwarden's @bitwarden/cli distribution channel was compromised when a malicious package briefly appeared on npm, putting developers who installed it at risk of credential theft. The release was live only for a short window on April 22, 2026 before removal. Bitwarden said vault data and production systems were not compromised.

Related Happenings

Easy-day-js Mastra package-publishing campaign

Campaign
H score30 First: 17.06.2026 10:38 Last: 17.06.2026 10:38 Sources 1

About this happening: The **easy-day-js** campaign mass-published more than **140 malicious npm packages** across the **@mastra/*** namespace, creating broad supply-chain exposure for developers and bu...

Asteroiddao hit by network compromise

Incident
H score13 First: 04.06.2026 18:25 Last: 04.06.2026 18:25 Sources 1

About this happening: **asteroiddao** suffered a compromised-account incident that let malicious npm package versions and repository commits seed a wider **supply-chain attack**. The account was used t...

Malware-Slop malicious npm file-theft campaign

Campaign
H score39 First: 27.05.2026 18:44 Last: 27.05.2026 18:44 Sources 1

About this happening: **Malware-Slop** is distributing **mouse5212-super-formatter**, a malicious **npm** package that steals local files from **Anthropic's Claude** workspace directory **/mnt/user-dat...

GitHub data exposed after GitHub breach

Data Leak
H score35 First: 20.05.2026 11:14 Last: 20.05.2026 11:14 Sources 1

About this happening: GitHub confirmed **exfiltration** of **internal repositories**, making private code and related content potentially available to outsiders. Attackers on the **Breached cybercrime...

GitHub hit by network compromise

Incident
H score42 First: 20.05.2026 07:01 Last: 20.05.2026 07:01 Sources 1

About this happening: GitHub is investigating unauthorized access to its internal repositories after a third party allegedly offered stolen material for sale on a cybercrime forum. The intrusion was li...

Latest development: 20.05.2026 13:45

GitHub detected unauthorized access tied to a poisoned Visual Studio Code (VS Code) extension on an employee device, removed the malicious extension version, isolated the endpoint, and began incident response to contain exposure across internal repositories.

Timeline

  1. 23.04.2026 22:21 1 articles · 2mo ago

    Malicious @bitwarden/cli release reaches npm

    Exploitation Observed

    Attackers published malicious @bitwarden/cli version 2026.4.0 to npm on April 22, 2026, apparently through a compromised GitHub Action in Bitwarden's CI/CD pipeline, and the package used bw_setup.js and bw1.js to load Bun and inject credential-stealing code into the CLI distribution.

    Show sources
  2. 23.04.2026 22:21 2 articles · 2mo ago

    Bitwarden confirms CLI npm compromise and analysts detail the payload

    Technical Analysis Update

    Bitwarden confirmed that the compromised npm distribution channel for the CLI package only affected users who downloaded the malicious version, revoked compromised access, deprecated the affected release, and said end user vault data and production systems were not compromised; Socket, JFrog, and OX Security said the payload used bw_setup.js and bw1.js to collect npm tokens, GitHub authentication tokens, SSH keys, and cloud credentials for AWS, Azure, and Google Cloud, encrypt the data with AES-256-GCM, and exfiltrate it through public GitHub repositories.

    Show sources