主要的加密开发工具刚刚将笔记本电脑变成了启动板来劫持 GitHub 帐户

On Apr. 22, a malicious version of Bitwarden's command-line interface appeared on npm under the official package name @bitwarden/cli@2026.4.0. For 93 minutes, anyone who pulled the CLI through npm received a backdoored substitute for the legitimate tool. Bitwarden detected the compromise, removed the package, and issued a statement saying it found no evidence that attackers accessed end-user vault data or compromised production systems. Security research firm JFrog analyzed the malicious payload and found it had no particular interest in Bitwarden vaults . It targeted GitHub tokens, npm tokens, SSH keys, shell history, AWS credentials, GCP credentials, Azure credentials, GitHub Actions secrets, and AI tooling configuration files. These are credentials that govern how teams build, deploy, and reach their infrastructure. Targeted secret / data type Where it usually lives Why it matters operationally GitHub tokens Developer laptops, local config, CI environments Can enable repo access, workflow abuse, secret listing, and lateral movement through automation npm tokens Local config, release environments Can be used to publish malicious packages or alter release flows SSH keys Developer machines, build hosts Can open access to servers, internal repos, and infrastructure Shell history Local machines Can reveal pasted secrets, commands, internal hostnames, and workflow details AWS credentials Local config files, environment variables, CI secrets Can expose cloud workloads, storage, and deployment systems GCP credentials Local config files, environment variables, CI secrets Can expose cloud projects, services, and automation pipelines Azure credentials Local config files, environment variables, CI secrets Can expose cloud infrastructure, identity systems, and deployment paths GitHub Actions secrets CI/CD environments Can give access to automation, build outputs, deployments, and downstream secrets AI tooling / config files Project directories, local dev environments Can expo