Bitwarden CLI Compromised in Ongoing Checkmarx Supply Chain Campaign

Bitwarden CLI v2026.4.0 was compromised via a malicious GitHub Action injection, distributing malware on npm for 1.5 hours on April 22. The malware exfiltrates developer secrets, GitHub tokens, SSH keys, and cloud credentials to attacker infrastructure. Any developer who installed this version during the window has potentially compromised credentials in active threat actor hands.

CRITICALAdvisoryApr 25, 2026

Action required

Immediately identify and revoke all GitHub tokens, SSH keys, and cloud credentials for any developer who installed Bitwarden CLI v2026.4.0 between April 22 00:00-01:30 UTC. Hunt for exfiltration to audit.checkmarx[.]cx and suspicious GitHub repo access from compromised tokens.

Affected products

Bitwarden CLIBitwarden

Linked articles

Bitwarden CLI Compromised in Ongoing Checkmarx Supply Chain Campaign

Source links

https://thehackernews.com/2026/04/bitwarden-cli-compromised-in-ongoing.html