Hackers hacked Bitwarden’s CLI password manager version 2026.4.0 via GitHub Action, and published a malicious npm package that quickly steals crypto wallet data and developer credentials.
Security firm Socket discovered the breach on April 23 and linked it to the ongoing TeamPCP campaign. The malicious version of npm has been removed.
Malware Target Risks Crypto Wallets and CI/CD Secrets
The malicious payload, embedded in a file named bw1.js, ran on the package installation and harvested GitHub and npm tokens, SSH keys, environment variables, shell history, and cloud information.
TeamPCP’s massive campaign is separately confirmed to track crypto wallet data, including MetaMask, Phantom, and Solana wallet files.
According to JFrogthe stolen content was released in an attacker-controlled environment and returned to the GitHub repository as persistence. machine.
Many crypto communities use the Bitwarden CLI in independent CI/CD pipelines for secret injection and deployment. Any traffic that had a compromised version may have revealed the keys to the wallet as well API information exchange.
Security researcher Adnan Khan reported that this was the first hack of a package using npm’s reliable printing presswhich are designed to relieve long-term symptoms.
What Concerned Users Should Do
Socket they encourage that anyone who installed @bitwarden/cli 2026.4.0 will immediately turn over any exposed secret.
Users should downgrade to version 2026.3.0 or swap to signed binaries from the Bitwarden website.
TeamPCP has also built similar demos with Trivy, Checkmarx, and LiteLLM from March 2026, targeting. manufacturer equipment that sits on the ground during pipeline construction.
The Bitwarden’s main room was untouched. The only way to build the CLI was compromise.
A note Bitwarden CLI Supply Chain Attack Puts Crypto Wallet Keys at Risk appeared for the first time BeInCrypto.
