Bitwarden

supply-chain 2026-04-24
@bitwarden/cli 2026.4.0 Backdoored in 93-Minute npm Window — 'Shai-Hulud: The Third Coming' Worm Hijacks Developer Credentials
A trojanized @bitwarden/[email protected] sat live on npm for 93 minutes on April 22, exfiltrating GitHub/npm tokens, SSH keys, cloud creds, and crypto wallet keys — and self-propagating through victims' own npm packages. The pivot came from the ongoing Checkmarx/TeamPCP campaign.
supply-chain npm bitwarden checkmarx shai-hulud worm ci-cd teampcp

@bitwarden/cli 2026.4.0 Backdoored in 93-Minute npm Window — 'Shai-Hulud: The Third Coming' Worm Hijacks Developer Credentials