Major crypto developer tool just turned laptops into launchpads to hijack GitHub accounts

On Apr. 22, a malicious version of Bitwarden's command-line interface appeared on npm under the official package name @bitwarden/cli@2026.4.0. For 93 minutes, anyone who pulled the CLI through npm received a backdoored substitute for the legitimate tool. Bitwarden detected the compromise, removed the package, and issued a statement saying it found no evidence that attackers accessed end-user vault data or compromised production systems. Security research firm JFrog analyzed the malicious payload and found it had no particular interest in Bitwarden vaults . It targeted GitHub tokens, npm tokens, SSH keys, shell history, AWS credentials, GCP credentials, Azure credentials, GitHub Actions secrets, and AI tooling configuration files. These are credentials that govern how teams build, deploy, and reach their infrastructure. Targeted secret / data type Where it usually lives Why it matters operationally GitHub tokens Developer laptops, local config, CI environments Can enable repo access, workflow abuse, secret listing, and lateral movement through automation npm tokens Local config, release environments Can be used to publish malicious packages or alter release flows SSH keys Developer machines, build hosts Can open access to servers, internal repos, and infrastructure Shell history Local machines Can reveal pasted secrets, commands, internal hostnames, and workflow details AWS credentials Local config files, environment variables, CI secrets Can expose cloud workloads, storage, and deployment systems GCP credentials Local config files, environment variables, CI secrets Can expose cloud projects, services, and automation pipelines Azure credentials Local config files, environment variables, CI secrets Can expose cloud infrastructure, identity systems, and deployment paths GitHub Actions secrets CI/CD environments Can give access to automation, build outputs, deployments, and downstream secrets AI tooling / config files Project directories, local dev environments Can expose API keys, internal endpoints, model settings, and related credentials Bitwarden serves over 50,000 businesses and 10 million users, and its own documentation describes the CLI as a “powerful, fully-featured” way to access and manage the vault, including in automated workflows that authenticate using environment variables. Bitwarden lists npm as the simplest and preferred installation method for users already comfortable with the registry. That combination of automation use, developer-machine installation, and official npm distribution places the CLI exactly where high-value infrastructure secrets tend to live. JFrog's analysis shows the malicious package rewired both the preinstall hook and the bw binary entrypoint to a loader that fetched the Bun runtime and launched an obfuscated payload. The compromise is fired at install time and at runtime. An organization could run the backdoored CLI without touching any stored passwords while the malware systematically collected the credentials governing its CI pipelines, cloud accounts, and deployment automation. Security firm Socket says the attack appears to have exploited a compromised GitHub Action in Bitwarden's CI/CD pipeline, consistent with a pattern Checkmarx researchers have been tracking. Bitwarden confirmed that the incident is connected to the broader Checkmarx supply chain campaign. The trust bottleneck Npm built its trusted publishing model to address exactly this class of risk. By replacing long-lived npm publish tokens with OIDC-based CI/CD authentication, the system removes one of the most common paths attackers use to hijack registry releases, and npm recommends trusted publishing and treats it as a meaningful step forward. The harder surface is the release logic itself, such as the workflows and actions that invoke the publish step. Npm's own documentation recommends controls beyond OIDC, such as deployment environments with manual approval requirements, tag protection rules, and branch restrictions. Layer in the trust chain What it is supposed to guarantee What can still go wrong Source repository The intended codebase exists in the expected repo Attackers may never need to alter the main codebase directly CI/CD workflow Automates build and release from the repo If compromised, it can produce and publish a malicious artifact GitHub Actions / release logic Executes the steps that build and publish software A poisoned action or abused workflow can turn a legitimate release path malicious OIDC trusted publishing Replaces long-lived registry tokens with short-lived identity-based auth It proves an authorized workflow published the package, not that the workflow itself was safe npm official package route Distributes software under the expected package name Users may still receive malware if the official publish path is compromised Developer machine / CI runner Consumes the official package Install-time or runtime malware can harvest local, cloud, and automation secrets GitHub's environm