Bitwarden CLI Compromised in Ongoing Checkmarx Supply Chain Campaign
Posted by bionic80@reddit | sysadmin | View on Reddit | 7 comments
In the latest series of attacks against NPM providers, customers are recommended to immediately move from bitwarden/cli@2026.4.0 to the .1 release and rotate all secrets.
https://thehackernews.com/2026/04/bitwarden-cli-compromised-in-ongoing.html
ilikeyoureyes@reddit
I use bw cli but download binaries from their GitHub. Should I be good because I didn’t install using npm?
bionic80@reddit (OP)
Check that you aren't on the affected version just to be safe...
bobdobalina@reddit
yes
blbd@reddit
Man. What a king sized pain in the ass for the affected parties.
voltagejim@reddit
So is this affect everyone that had the free bitwarden desktop version or the app version?
bionic80@reddit (OP)
Specifically affects the CLI tools allowing for CD/CI style deployments. it's still bad for enterprise customers who use this to access Bitwarden vaults through automation.
Forgotmyaccount1979@reddit
Neither.
This is specific to 334 users that downloaded a bad cli version for dev stuff.
https://community.bitwarden.com/t/bitwarden-statement-on-checkmarx-supply-chain-incident/96127
They did a blog post about it.