The Bitwarden security team identified and contained a malicious package that was briefly distributed through the npm delivery path for @bitwarden/cli@2026.4.0 between 5:57 PM and 7:30 PM (ET) on April 22, 2026, in connection with a broader Checkmarx supply chain incident.
The investigation found no evidence that end user vault data was accessed or at risk, or that production data or production systems were compromised. Once the issue was detected, compromised access was revoked, the malicious npm release was deprecated, and remediation steps were initiated immediately.
The issue affected the npm distribution mechanism for the CLI during that limited window, not the integrity of the legitimate Bitwarden CLI codebase or stored vault data.
Users who did not download the package from npm during that window were not affected. Bitwarden has completed a review of internal environments, release paths, and related systems, and no additional impacted products or environments have been identified at this time. A CVE for Bitwarden CLI version 2026.4.0 is being issued in connection with this incident.
pull down to refresh
related posts
I was just worrying about this. I'm very seriously considering not using a password manager anymore.
I suppose good old paper and pencil is pretty hard to beat. Having all the passwords to everything in one place is a little unnerving.
I also saw lopp making a good reminder on X today: storing 2FA recovery codes in your password manager is a bad idea -- defeats the point of 2FA.
Until the $5 wrench attack comes
I think it is important to have more than one going.
https://community.bitwarden.com/t/bitwarden-statement-on-checkmarx-supply-chain-incident/96127