قامت أداة مطور العملات المشفرة الرئيسية بتحويل أجهزة الكمبيوتر المحمولة إلى منصات إطلاق لاختراق حسابات GitHub
Burns Brief
في 22 فبراير، ظهرت نسخة ضارة من واجهة سطر الأوامر الخاصة بـ Bitwarden على npm تحت اسم الحزمة الرسمي @bitwarden/cli@2026، وأصبحت معنويات السوق إيجابية، حيث يشير المتداولون والمحللون إلى زخم متابعة محتمل في الجلسات القادمة. راقب تأكيد حجم التداول - الاختراق فوق متوسط الحجم سيشير إلى أن الاتجاه من المرجح أن يستمر.
On Apr. 22, a malicious version of Bitwarden's command-line interface appeared on npm under the official package name @bitwarden/cli@2026.4.0. For 93 minutes, anyone who pulled the CLI through npm received a backdoored substitute for the legitimate tool. Bitwarden detected the compromise, removed the package, and issued a statement saying it found no evidence that attackers accessed end-user vault data or compromised production systems. Security research firm JFrog analyzed the malicious payload and found it had no particular interest in Bitwarden vaults . It targeted GitHub tokens, npm tokens, SSH keys, shell history, AWS credentials, GCP credentials, Azure credentials, GitHub Actions secrets, and AI tooling configuration files. These are credentials that govern how teams build, deploy, and reach their infrastructure. Targeted secret / data type Where it usually lives Why it matters operationally GitHub tokens Developer laptops, local config, CI environments Can enable repo access, workflow abuse, secret listing, and lateral movement through automation npm tokens Local config, release environments Can be used to publish malicious packages or alter release flows SSH keys Developer machines, build hosts Can open access to servers, internal repos, and infrastructure Shell history Local machines Can reveal pasted secrets, commands, internal hostnames, and workflow details AWS credentials Local config files, environment variables, CI secrets Can expose cloud workloads, storage, and deployment systems GCP credentials Local config files, environment variables, CI secrets Can expose cloud projects, services, and automation pipelines Azure credentials Local config files, environment variables, CI secrets Can expose cloud infrastructure, identity systems, and deployment paths GitHub Actions secrets CI/CD environments Can give access to automation, build outputs, deployments, and downstream secrets AI tooling / config files Project directories, local dev environments Can expo
Key Takeaways
- 22, a malicious version of Bitwarden's command-line interface appeared on npm under the official package name @bitwarden/cli@2026
- For 93 minutes, anyone who pulled the CLI through npm received a backdoored substitute for the legitimate tool
- Bitwarden detected the compromise, removed the package, and issued a statement saying it found no evidence that attackers accessed end-user vault data or compromised production systems
- Security research firm JFrog analyzed the malicious payload and found it had no particular interest in Bitwarden vaults
- It targeted GitHub tokens, npm tokens, SSH keys, shell history, AWS credentials, GCP credentials, Azure credentials, GitHub Actions secrets, and AI tooling configuration files