Well, butter my biscuit and call me surprised! Them rascally attackers done gone and hijacked Bitwarden’s CLI, version 2026.4.0, like a riverboat gambler cheating at poker. A compromised GitHub Action let ’em slip in a malicious npm package, and now crypto wallet keys are flyin’ out faster than a catfish on a hot skillet.
The folks over at Socket, them eagle-eyed security wranglers, spotted this shenanigan on April 23. They reckon it’s part of that TeamPCP supply chain hullabaloo that’s been goin’ round. The rogue npm version? It’s been yanked quicker than a hound dog from a ham bone.
Malware Mischief: Crypto Wallets and Secrets in the Crosshairs
This here malicious payload, hidin’ in a file called bw1.js, was slyer than a fox in a henhouse. It ran during installation, snatchin’ up GitHub and npm tokens, SSH keys, environment variables, shell history, and cloud credentials like a magpie with a shiny obsession. TeamPCP’s been on a tear, targetin’ crypto wallet files from MetaMask to Phantom and Solana. Them wallets ain’t safe, no sir.
JFrog chimed in, sayin’ the stolen data was shipped off to attacker-controlled domains faster than a telegram in a gold rush. And get this-it was committed back to GitHub repositories, just to make sure the mischief stuck around like a bad smell.
Now, many a crypto team uses Bitwarden CLI in their CI/CD pipelines, injectin’ secrets and deployin’ code. Any workflow that ran the compromised version might’ve spilled more secrets than a town gossip. High-value wallet keys and exchange API credentials? They’re likely dancin’ in the wind.
Security researcher Adnan Khan, bless his heart, pointed out this is the first known time a package usin’ npm’s trusted publishin’ mechanism got compromised. That’s like findin’ a rattlesnake in your boot-you never expect it, but there it is.
I believe this is the first time package using NPM trusted publishing has been compromised.
– Adnan Khan (@adnanthekhan) April 23, 2026
What to Do If You’re in This Pickle
Socket’s advice is clear as a mountain stream: if you installed @bitwarden/cli version 2026.4.0, rotate every exposed secret quicker than a squirrel in a nut factory. Downgrade to version 2026.3.0 or switch to official signed binaries from Bitwarden’s website. Don’t dilly-dally, or you’ll be left holdin’ the bag.
TeamPCP’s been on a tear since March 2026, targetin’ developer tools like Trivy, Checkmarx, and LiteLLM. They’re like a pack of coyotes after a wounded rabbit, goin’ after build pipelines deep in the woods.
Now, don’t you fret none about Bitwarden’s core vault-it’s as safe as a baby in a cradle. Only the CLI build process got itself in a heap of trouble.
Read More
- Quantum Agents: Scaling Reinforcement Learning with Distributed Quantum Computing
- All Skyblazer Armor Locations in Crimson Desert
- Every Melee and Ranged Weapon in Windrose
- How to Get the Sunset Reed Armor Set and Hollow Visage Sword in Crimson Desert
- Zhuang Fangyi Build In Arknights Endfield
- Jojo’s Bizarre Adventure Ties Frieren As MyAnimeList’s New #1 Anime
- Windrose Glorious Hunters Quest Guide (Broken Musket)
- Top 10 Must-Watch Isekai Anime on Crunchyroll Revealed!
- Black Sun Shield Location In Crimson Desert (Buried Treasure Quest)
- Grime 2 Map Unlock Guide: Find Seals & Fast Travel
2026-04-23 17:41