{"data":{"id":"0d61fd21-f7e6-499b-973c-f54e00799360","title":"Bitwarden CLI password manager trojanized in supply chain attack","summary":"A malicious version of Bitwarden CLI (the terminal interface for a popular password manager) was published to npm by attackers who compromised Bitwarden's CI/CD pipeline (the system that automates building and releasing software). The fake version 2026.4.0 contained malware designed to steal developer credentials like GitHub tokens, AWS keys, and API keys from infected systems, though it was detected and removed within 1.5 hours.","solution":"Users who installed the malicious version 2026.4.0 should uninstall it, clear the npm cache, and delete bw1.js and bw_setup.js from their system. Then they should: revoke all GitHub PATs (personal access tokens, which are authentication credentials), rotate npm tokens and CI publishing tokens, rotate AWS access keys and review SSM and Secrets Manager access, review Azure Key Vault audit logs and rotate affected secrets, review GCP Secret Manager access logs and rotate affected secrets, inspect GitHub Actions workflows and repository artifacts for unauthorized activity, and review shell history and AI tooling configuration files for sensitive data leakage.","labels":["security"],"sourceUrl":"https://www.csoonline.com/article/4162865/bitwarden-cli-password-manager-trojanized-in-supply-chain-attack.html","publishedAt":"2026-04-23T23:09:15.000Z","cveId":null,"cweIds":null,"cvssScore":null,"cvssSeverity":null,"severity":"high","attackType":["supply_chain"],"issueType":"news","affectedPackages":null,"affectedVendors":["HuggingFace"],"affectedVendorsRaw":["Bitwarden","TeamPCP","KICS","Checkmarx","Trivy","Docker","VS Code","GitHub","npm","AWS","GCP","MCP","AI agents"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":null,"epssScore":null,"patchAvailable":null,"disclosureDate":"2026-04-23T23:09:15.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"advanced","impactType":["confidentiality","integrity"],"aiComponentTargeted":null,"llmSpecific":false,"classifierConfidence":0.75,"researchCategory":null,"atlasIds":null}}