Changelog News Bitwarden CLI compromised
7 snips
Apr 29, 2026 
Nicky Pike, a Coder.com representative focused on secure cloud development, talks about supply-chain attacks and token scraping in a recent CLI compromise. They also discuss rapid compiler performance gains, OS release security features, and the challenges when long-time maintainers step away. Quick, topical, and security-focused.
AI Snips
Chapters
Transcript
Episode notes
Respond Immediately If You Ran Bitwarden CLI
- Treat any recent runs of the Bitwarden BW CLI on dev machines or CI as an incident requiring response, not a routine update.
- Investigate exfiltration, rotate tokens/keys, and audit runners since the malicious package targeted CI GitHub Actions vector.
CLI Tools Are Now Primary Secret Risk
- Bitwarden's official CLI was published to NPM with malicious code that scraped local secrets and cloud credentials.
- The compromised build exfiltrated GitHub tokens, AWS/Azure/GCP creds, SSH keys, shell profiles and cloud config to a spoofed audit.checkmarks endpoint.
GitHub Actions Are A Repeatable Supply Chain Vector
- The Bitwarden compromise follows the broader Checkmarx-themed campaign that abused GitHub Actions as a supply-chain vector.
- This shows attackers are pursuing strategic, repeatable CI/CD vectors across developer tooling, not one-off packages.