Bitwarden CLI npm package compromised: what actually happened and why it matters

The Bitwarden CLI was published to npm with a credential-stealing payload during an unspecified window. This isn't a story about Bitwarden the product being hacked—it's a story about npm as an attack vector against a security-critical tool that runs in CI/CD pipelines with access to secrets and environment variables.

The exact mechanism of the compromise remains unclear from public reporting. Bitwarden has removed the malicious version and published a clean one, but the vendor hasn't released a detailed incident postmortem with root cause analysis. The attack follows a familiar supply chain pattern: target a package with privileged runtime access, get code execution in environments where secrets live, exfiltrate. The structural problem is npm's model—anyone with publish rights can push a new version, and if those credentials are compromised, malicious code reaches millions of downstream consumers before detection.

If your CI/CD pipeline was pulling the Bitwarden CLI from npm during the compromise window, your secrets may already be gone. The reporting on spread capability and exact exposure window is frustratingly vague, which is itself a problem when a credential manager becomes the vector for stealing credentials.

https://www.bleepingcomputer.com/news/security/bitwarden-cli-npm-package-compromised-to-steal-developer-credentials/

Видео Bitwarden CLI npm package compromised: what actually happened and why it matters канала Dry Tech