By : Lockridge Okoth
Publisher : beincrypto
Date : April 23, 2026

Bitwarden CLI Supply Chain Attack Puts Crypto Wallet Keys at Risk

Attackers hijacked password manager Bitwarden’s CLI version 2026.4.0 through a compromised GitHub Action, publishing a malicious npm package that actively steals crypto wallet data and developer credentials.

Security firm Socket discovered the breach on April 23 and linked it to the ongoing TeamPCP supply chain campaign. The rogue npm version has since been pulled.

Malware Target Risks Crypto Wallets and CI/CD Secrets

The malicious payload, embedded in a file called bw1.js, ran during package installation and harvested GitHub and npm tokens, SSH keys, environment variables, shell history, and cloud credentials.

TeamPCP’s broader campaign is separately confirmed to target crypto wallet data, including MetaMask, Phantom, and Solana wallet files.

According to JFrog, the stolen data was exfiltrated to attacker-controlled domains and committed back to GitHub repositories as a persistence mechanism.

Many crypto teams use the Bitwarden CLI in automated CI/CD pipelines for secrets injection and deployments. Any workflows that ran the compromised version may have exposed high-value wallet keys and exchange API credentials.

Security researcher Adnan Khan noted this is the first known compromise of a package using npm’s trusted publishing mechanism, which was designed to eliminate long-lived tokens.

What Affected Users Should Do

Socket recommends that anyone who installed @bitwarden/cli version 2026.4.0 rotate every exposed secret immediately.

Users should downgrade to version 2026.3.0 or switch to official signed binaries from Bitwarden’s website.

TeamPCP has chained similar attacks against Trivy, Checkmarx, and LiteLLM since March 2026, targeting developer tools that sit deep in build pipelines.

Bitwarden’s core vault remains unaffected. Only the CLI build process was compromised.

The post Bitwarden CLI Supply Chain Attack Puts Crypto Wallet Keys at Risk appeared first on BeInCrypto.

Read more

Latest News

Operation Veil of Maya: Brazilian ...
By Sergio Goschenko
Publisher : news
Date : July 10, 2026
Hong Kong Bans SMS and Email Login...
By Phil Haunhorst
Publisher : beincrypto
Date : July 10, 2026
Polymarket Seeks to Offer Margin T...
By Kamina Bashir
Publisher : beincrypto
Date : July 10, 2026
Goldman Sachs blocks staff from tr...
By Rony Roy
Publisher : crypto
Date : July 10, 2026
Bitcoin gets a green light from a ...
By Omkar Godbole
Publisher : coindesk
Date : July 10, 2026