Bitwarden's CLI Tool Was Secretly Weaponized to Steal Cloud Credentials

Hackers hijack Bitwarden's CLI NPM package, stealing credentials from AWS, Azure, GitHub, and more. No user vault data exposed.

By Content Team

Apr 25, 2026

ON THIS PAGE

Share

---

ON THIS PAGE

Want more insights like this?

Subscribe to our newsletter to get the latest software protection strategies delivered to your inbox.

By submitting your email, you consent to Codekeeper contacting you and agree to our privacy policy.

Hackers compromised version 2026.4.0 of Bitwarden's CLI NPM package — downloaded over 250,000 times monthly — injecting malware that systematically steals credentials across AWS, Azure, GitHub, GCP, and more. The malicious code also hijacks victims' GitHub accounts to exfiltrate additional secrets, making stolen data potentially visible to anyone searching GitHub — not just the attackers. Bitwarden confirmed the breach but says no user vault data was exposed. The attack mirrors a recent hit on Checkmarx and shares code with the Shai-Hulud worm campaigns from 2024. Hacking group TeamPCP is suspected, though attribution remains complicated.

Source: SecurityWeek

Share this article

Have questions about protecting your software?

Our escrow experts are standing by to help.

Book a free demo

YOU MAY ALSO LIKE

Single Hacker Behind Dozens of Major Corporate Data Breaches

Jan 6, 2026

Hackers Selling $220,000 Windows Zero-Day Exploit on Dark Web

Mar 9, 2026

New Android Malware Infects 13,000 Devices Through Supply Chain Attack

Feb 18, 2026

Hackers Poison Trivy Scanner Tags to Steal Credentials from 10,000+ CI/CD Pipelines

Mar 22, 2026