Bitwarden CLI compromised in ongoing Checkmarx supply chain campaign
tosh
710 points
347 comments
April 23, 2026
Related Discussions
Found 5 related stories in 66.1ms across 5,406 title embeddings via pgvector HNSW
- Bitwarden CLI NPM package has been compromised 6mile · 15 pts · April 23, 2026 · 82% similar
- Bitwarden integrates with OneCLI agent vault sudo_chmod · 62 pts · March 30, 2026 · 64% similar
- Bitwarden Is Down zhan_eg · 16 pts · April 06, 2026 · 61% similar
- GitHub Accounts Compromised 6mile · 13 pts · March 11, 2026 · 55% similar
- The Vercel breach: OAuth attack exposes risk in platform environment variables queenelvis · 299 pts · April 21, 2026 · 55% similar
Discussion Highlights (20 comments)
nozzlegear
Another day, another supply chain attack involving GitHub Actions.
sigmonsays
If I run the compromised CLI, do they get all my passwords?
hurricanepootis
This doesn't affect the web extension, no?
1024kb
I had a really bad experience with the bitwarden cli. I believe it was `bw list` that I ran, assuming it would list the names of all my passwords, but too my surprise, it listed everything, including passwords and current totp codes. That's not the worst of it though. For some reason, when I ssh'ed into one of my servers and opened tmux, where I keep a weechat irc client running, I noticed that the entire content of the bw command was accessible from within the weechat text input field history. I have no idea how this happened, but it was quite terrifying. The issue persisted across tmux and weechat sessions, and only a reboot of the server would solve the problem. I promptly removed the bw cli programme after that, and I definitely won't be installing it again. I use ghostty if it matters.
hgoel
Does the CLI auto-update? Edit: The CLI itself apparently does not, which will have limited the damage a bit, but if it's installed as a snap, it might. Incidents like this should hopefully cause a rollback of this dumb system of forcefully and frequently updating people's software without explicit consent. Also the time range provided in https://community.bitwarden.com/t/bitwarden-statement-on-che... can help with knowing if you were at risk. I only used the CLI once in the morning yesterday (ET), so I might not have been affected?
flossly
Never used the CLI, but I do use their browser plugin. Would be quite a mess if that got compromised. What can I do to prevent it? Run old --tried and tested-- versions? Quite bizarre to think much much of my well-being depends on those secrets staying secret.
rvz
Once again, it is in the NPM ecosystem. OneCLI [0] does not save you either. Happens less with languages that have better standard libraries such as Go. If you see any package that has hundreds of libraries , that increases the risk of a supply chain attack. A password manager does not need a CLI tool. [0] https://news.ycombinator.com/item?id=47585838
citizen4902
Bitwarden statement - https://community.bitwarden.com/t/bitwarden-statement-on-che...
hrimfaxi
> The affected package version appears to be @bitwarden/cli2026.4.0, and the malicious code was published in bw1.js, a file included in the package contents. The attack appears to have leveraged a compromised GitHub Action in Bitwarden’s CI/CD pipeline, consistent with the pattern seen across other affected repositories in this campaign.
mobeigi
KeePass users continue to live the stress free live. I've managed to avoid several security breaches in last 5 years alone by using KeePass locally on my own infra.
isatty
Writing a cli with JavaScript? No thank you.
sega_sai
So how likely is that these compromises will start affecting the non-cli and non-open-source tools ? For example other password managers (in the form of GUI's or browser extensions).
darkwater
> Russian locale kill switch: Exits silently if system locale begins with "ru", checking Intl.DateTimeFormat().resolvedOptions().locale and environment variables LC_ALL, LC_MESSAGES, LANGUAGE, and LANG So bold and so cowards at the same time...
masfuerte
> Checkmarx is an information security company specializing in software application security testing and risk management for software supply chains. The irony! The security "solution" is so often the weak link.
Scene_Cast2
I recently had to disable their Chrome extension because it made the browser grind to a halt (spammed mojo IPC messages to the main thread according to a profiler). I wasn't the only one affected, going by the recent extension reviews. I wonder if it's related.
nothinkjustai
Remember how the White House published that document on memory safe languages? I think it’s time they go one step further and ban new development in JavaScript. Horrible language horrible ecosystem and horrible vulns.
tracker1
I was literally thinking about installing the cli a few days ago to ease the use in a few places. Now I'm glad I didn't.
ruuda
https://github.com/doy/rbw is a Rust alternative to the Bitwarden CLI. Although the Rust ecosystem is moving in NPM's direction (very large and very deep dependency trees), you still need to trust far fewer authors in your dependency tree than what is common for Javascript.
fraywing
Can we please get a break? Praying to the security gods. It seems like we've have non-stop supply chain attacks for months now?
fnoef
I mean, what's the future now? Everyone just vibecoding their own private tools that no "foreign government" has access to? It honestly feels like everything is slowly starting to collapse. Also didn't Microsoft (the owner of GitHub) got access to Claude Mythos in order to "seCuRe cRitiCal SoftWaRe InfRasTructUre FoR teh AI eRa"? Hows securing GitHub Action going for them?