Executive Summary

The vulnerability involves a malicious npm package that was briefly distributed for the Bitwarden CLI version 2026.4.0 on April 22, 2026. This malicious code was embedded in the package during a supply chain incident related to Checkmarx. Only users who downloaded and installed the CLI via npm during a specific 93-minute window were affected.

The issue was limited to the npm distribution mechanism and did not affect the legitimate CLI codebase or stored vault data.

Useful 0 Not Useful 0

Impact Analysis

Users who installed the affected Bitwarden CLI version 2026.4.0 from npm during the brief window could have been exposed to malicious code embedded in the package.

However, Bitwarden confirmed that end user vault data, production systems, and production data were not compromised.

Only 334 users were affected, and regular Bitwarden users who do not use the CLI are not at risk.

Impacted users are advised to uninstall the affected version, clear the npm cache, disable npm install scripts temporarily, rotate any exposed secrets, review GitHub activity for unauthorized changes, and install the updated version 2026.4.1.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability affects users who downloaded and installed the Bitwarden CLI version 2026.4.0 via npm during a specific 93-minute window on April 22, 2026.

To detect if your system is affected, check if the Bitwarden CLI version 2026.4.0 is installed and if it was installed via npm during that time frame.

• Run the command `bw --version` or `bitwarden --version` to check the installed CLI version.
• Check your npm installation logs or history to see if Bitwarden CLI version 2026.4.0 was installed between 2026-04-22T21:57Z and 2026-04-22T23:30Z.
• Use `npm list -g bitwarden` or `npm list bitwarden` to see the installed version of Bitwarden CLI.

Additionally, review GitHub activity for unauthorized changes if you use Bitwarden CLI in your development workflow.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include uninstalling the affected Bitwarden CLI version 2026.4.0.

• Uninstall the Bitwarden CLI version 2026.4.0.
• Clear the npm cache to remove any malicious package remnants by running `npm cache clean --force`.
• Temporarily disable npm install scripts to prevent automatic execution of malicious code during package installation.
• Rotate any secrets or credentials that may have been exposed.
• Review GitHub activity for unauthorized changes if Bitwarden CLI is used in your development environment.
• Install the updated and safe Bitwarden CLI version 2026.4.1.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability involved a malicious npm package briefly distributed for Bitwarden CLI version 2026.4.0, but Bitwarden confirmed that end user vault data, production systems, and production data were not compromised.

Since no user data or production data was affected, the incident's impact on compliance with common standards and regulations such as GDPR or HIPAA is minimal or negligible.

Bitwarden took rapid remediation steps including revoking access, advising affected users to uninstall the compromised version, and implementing additional mitigations to prevent similar attacks, which supports maintaining compliance.

Useful 0 Not Useful 0