The Bitwarden security team identified and contained a malicious package that was briefly distributed through the npm delivery path for @bitwarden/cli@2026.4.0 between 5:57 PM and 7:30 PM (ET) on April 22, 2026, in connection with a broader Checkmarx supply chain incident. The investigation found no evidence that end user vault data was accessed or at risk, or that production data or production systems were compromised. Once the issue was detected, compromised access was revoked, the malicious ...
This problem has nothing to do with NPM. Checkmarx was compromised last month, and during that compromise there were malicious VS Code extensions published to Visual Studio Code Marketplace. A Bitwarden developer says that somebody ran one of those malicious extensions, and GitHub API keys were stolen which were used in publishing the malicious CLI package.
It’s probably better that it happened on NPM. If the CLI were only downloadable from the Bitwarden website, it would have likely taken longer for somebody to notice something was wrong.
Yes, but NPM has been had countless security problems, this isn’t a new problem. Even tho this instance is not a problem of NPM itself, it still has been proven as one of the most unreliable and insecure package managers out there.
I’m not a particular fan of npm, but you’ll probably see this kind of thing with any package manager of similar size. More a matter of what’s the most attractive target than the package tech itself.
But why does NPM enable post install scripts by default? Why is there no way to define a minimum release age for dependency versions? It’s just poor design choices.
This problem has nothing to do with NPM. Checkmarx was compromised last month, and during that compromise there were malicious VS Code extensions published to Visual Studio Code Marketplace. A Bitwarden developer says that somebody ran one of those malicious extensions, and GitHub API keys were stolen which were used in publishing the malicious CLI package.
It’s probably better that it happened on NPM. If the CLI were only downloadable from the Bitwarden website, it would have likely taken longer for somebody to notice something was wrong.
Yes, but NPM has been had countless security problems, this isn’t a new problem. Even tho this instance is not a problem of NPM itself, it still has been proven as one of the most unreliable and insecure package managers out there.
I’m not a particular fan of npm, but you’ll probably see this kind of thing with any package manager of similar size. More a matter of what’s the most attractive target than the package tech itself.
But why does NPM enable post install scripts by default? Why is there no way to define a minimum release age for dependency versions? It’s just poor design choices.
What a fucking asanine series of events.