Pendant 93 minutes, l'installation de la CLI « officielle » de Bitwarden a transformé les ordinateurs portables en rampes de lancement pour pirater les comptes GitHub.
Burns Brief
Le 22 décembre, une version malveillante de l'interface de ligne de commande de Bitwarden est apparue sur npm sous le nom officiel du package @bitwarden/cli@2026. Le sentiment du marché devient positif, les traders et les analystes soulignant un potentiel de suivi dans les sessions à venir. Surveillez la confirmation du volume : une cassure au-dessus du volume moyen indiquerait que la tendance est susceptible de se poursuivre.
On Apr. 22, a malicious version of Bitwarden's command-line interface appeared on npm under the official package name @bitwarden/cli@2026.4.0. For 93 minutes, anyone who pulled the CLI through npm received a backdoored substitute for the legitimate tool. Bitwarden detected the compromise, removed the package, and issued a statement saying it found no evidence that attackers accessed end-user vault data or compromised production systems. Security research firm JFrog analyzed the malicious payload and found it had no particular interest in Bitwarden vaults . It targeted GitHub tokens, npm tokens, SSH keys, shell history, AWS credentials, GCP credentials, Azure credentials, GitHub Actions secrets, and AI tooling configuration files. These are credentials that govern how teams build, deploy, and reach their infrastructure. Targeted secret / data type Where it usually lives Why it matters operationally GitHub tokens Developer laptops, local config, CI environments Can enable repo access, workflow abuse, secret listing, and lateral movement through automation npm tokens Local config, release environments Can be used to publish malicious packages or alter release flows SSH keys Developer machines, build hosts Can open access to servers, internal repos, and infrastructure Shell history Local machines Can reveal pasted secrets, commands, internal hostnames, and workflow details AWS credentials Local config files, environment variables, CI secrets Can expose cloud workloads, storage, and deployment systems GCP credentials Local config files, environment variables, CI secrets Can expose cloud projects, services, and automation pipelines Azure credentials Local config files, environment variables, CI secrets Can expose cloud infrastructure, identity systems, and deployment paths GitHub Actions secrets CI/CD environments Can give access to automation, build outputs, deployments, and downstream secrets AI tooling / config files Project directories, local dev environments Can expo
Key Takeaways
- 22, a malicious version of Bitwarden's command-line interface appeared on npm under the official package name @bitwarden/cli@2026
- For 93 minutes, anyone who pulled the CLI through npm received a backdoored substitute for the legitimate tool
- Bitwarden detected the compromise, removed the package, and issued a statement saying it found no evidence that attackers accessed end-user vault data or compromised production systems
- Security research firm JFrog analyzed the malicious payload and found it had no particular interest in Bitwarden vaults
- It targeted GitHub tokens, npm tokens, SSH keys, shell history, AWS credentials, GCP credentials, Azure credentials, GitHub Actions secrets, and AI tooling configuration files