{
  "title": "Bitwarden CLI npm 2026.4.0 Credential Stealer",
  "summary": "Bitwarden confirmed that @bitwarden/cli@2026.4.0 was maliciously distributed through the npm CLI delivery path for a short April 22, 2026 window. JFrog and Socket analysis tied the package to bw_setup.js, bw1.js, Bun bootstrap, audit.checkmarx.cx exfiltration, GitHub fallback channels, and developer/CI credential theft.",
  "date": "2026-04-22",
  "severity": "critical",
  "tags": [
    "npm",
    "supply-chain",
    "bitwarden",
    "github-actions",
    "credential-theft",
    "ci-cd"
  ],
  "sources_count": 4,
  "indicators": {
    "slug": "bitwarden-cli-npm-compromised-action",
    "since": "2026-04-22T21:22:59Z",
    "until": "2026-04-22T23:59:59Z",
    "ecosystem": "npm",
    "cves": [],
    "cwes": [],
    "advisoryIds": [],
    "products": [],
    "packages": [],
    "versions": [
      "@bitwarden/cli@2026.4.0"
    ],
    "affectedVersions": [],
    "fixedVersions": [],
    "files": [
      "bw_setup.js",
      "bw1.js",
      "/tmp/tmp.987654321.lock",
      "package-updated.tgz"
    ],
    "paths": [],
    "services": [],
    "domains": [
      "audit.checkmarx.cx",
      "tmp.987654321.lock",
      "api.github.com"
    ],
    "urls": [
      "https://audit.checkmarx.cx/v1/telemetry",
      "https://api.github.com/search/commits?q=LongLiveTheResistanceAgainstMachines&sort=author-date&order=desc&per_page=50",
      "https://api.github.com/search/commits?q=beautifulcastle%20&sort=author-date&order=desc",
      "https://github.com/oven-sh/bun/releases/download/bun-v1.3.13"
    ],
    "ips": [
      "94.154.172.43"
    ],
    "hashes": [
      "18f784b3bc9a0bcdcb1a8d7f51bc5f54323fc40cbd874119354ab609bef6e4cb",
      "8605e365edf11160aad517c7d79a3b26b62290e5072ef97b102a01ddbb343f14",
      "167ce57ef59a32a6a0ef4137785828077879092d7f83ddbc1755d6e69116e0ad"
    ],
    "processPatterns": [],
    "networkPatterns": [],
    "telemetrySelectors": []
  }
}