Bitwarden CLI npm compromise
How Automic Vault would have prevented the Bitwarden CLI npm compromise.
Bitwarden said the vault service was not breached. The dangerous part was the npm-distributed CLI package running with local developer authority. Automic Vault would have prevented that install-time code from turning a CLI update into workstation credential theft.
Published April 23, 2026
Automic Vault would have prevented the damaging local phase of this incident: the moment malicious package or extension code tried to read workstation secrets, use credential-bearing tools, or install persistence as the developer.
Incident Facts
local execution- Date
- April 22, 2026
- Trigger
- @bitwarden/cli 2026.4.0 from npm ran a malicious preinstall loader.
- Local targets
- ~/.ssh, .git-credentials, .npmrc, .env, shell history, cloud CLI state, and AI/MCP config files.
- Follow-on behavior
- Primary exfiltration to audit.checkmarx.cx with GitHub-based fallback staging and abuse of stolen tokens.
What Happened?
incident recordBitwarden disclosed that a malicious @bitwarden/cli 2026.4.0 npm package was briefly distributed on April 22, 2026. The NVD record for CVE-2026-42994 places the affected npm window from 21:57 UTC to 23:30 UTC.
Researchers reported that the package used a malicious preinstall path and loader files rather than simply shipping the normal CLI. That matters because npm lifecycle scripts execute during installation, before a developer ever has a chance to run the command-line tool for a real password-manager task.
The attacker did not need Bitwarden vault data to make the compromise serious. The local machine already had developer credentials: GitHub tokens, npm tokens, shell history, cloud credential databases, .env files, SSH material, and MCP or AI-tool configuration. The package tried to take those.
What Actually Failed?
root causeThe failed assumption was that an official package name meant install scripts were safe to run with the user account. The npm identity was trusted, so the local preinstall script inherited broad read access and network reachability.
Classic secret scanning finds a leak after a value appears in a file, log, repository, or alert. This attack used the package install itself as the collection point. By the time an advisory appears, the attacker may already have enough material to push to repositories, publish new packages, or access cloud accounts.
Where Automic Vault Would Have Stopped It
preventionInstall code would not get the secret trove
Automic Vault is built around keeping secrets out of plaintext developer-tool files. The malicious preinstall script would not get to scrape a broad set of local credentials just because npm invoked it.
Credential use would be tool-scoped
The real Bitwarden CLI can be allowed to receive specific credentials for a specific execution. A setup loader or downloaded runtime does not automatically receive the same authority.
Sensitive follow-on actions would require approval
Creating repositories, using GitHub write APIs, publishing packages, or invoking credential-bearing tools are the kinds of actions Automic Vault puts behind visible command approval gates.
Why This Is Prevention, Not Just Detection
local boundaryAutomic Vault would have prevented the local credential theft phase by denying the install hook the thing it wanted most: ambient access to every useful file and token on the developer machine.
The compromised package could still fail installation. It could still be detected as a bad release later. What it could not do is silently collect ~/.ssh, .npmrc, cloud CLI state, shell history, and AI-tool config as a single attacker-ready archive.
For developer workstations, that is the prevention line that matters. Automic Vault turns a poisoned package from a credential breach into an untrusted execution attempt with no easy local secrets to steal.
Automic Vault does not claim to make npm, PyPI, GitHub Actions, or extension marketplaces impossible to compromise. The prevention claim is narrower and more useful: compromised tools should not inherit every credential and sensitive path on a developer machine.