Bitwarden Confirms Compromise: What 10 Million Users Need to Know

Supply chain attack hit developer CLI tool for 93 minutes, affecting just 334 of 10+ million users

Apr 27, 2026

< 1 min read

Key Takeaways

Bitwarden’s CLI tool compromised for 93 minutes, affecting only 334 users.
Supply chain attack targeted developer credentials through malicious NPM package distribution.
User password vaults remained secure due to zero-knowledge encryption architecture.

Social media is buzzing with Bitwarden breach panic, but your password vault remains untouched. The company confirmed a malicious NPM package briefly infiltrated their CLI tool—not the core password manager protecting your daily logins. Your stored passwords, credit cards, and secure notes never faced exposure.

Timeline Reveals Limited Window

The compromise occurred April 22nd from 5:57 PM to 7:30 PM Eastern—a 93-minute window where attackers distributed malware through the @bitwarden/[email protected] package. Only 334 users downloaded the malicious version during this brief period, according to Bitwarden’s community forum. That’s a microscopic fraction of Bitwarden’s 10+ million user base, most of whom use the standard apps and browser extensions that remained completely secure.

Supply Chain Attack Targets Developer Tools

This wasn’t a vault breach—it was supply chain sabotage. Attackers compromised Checkmarx tools to inject the “Shai-Hulud” malware into Bitwarden’s NPM publishing pipeline via GitHub Actions. The malware targeted developer credentials like API tokens and SSH keys, then exfiltrated data through public GitHub repositories tagged “Shai-Hulud: The Third Coming.” Sophisticated? Yes. Dangerous to your Netflix password? No.

The Checkmarx TeamPCP campaign has now spread to npm! Package @bitwarden/cli (78K weekly downloads) v2026.4.0 steals GitHub/npm tokens, .ssh, .env, shell history, GitHub Actions and cloud secrets, then exfiltrates the data to private domains & as GitHub commits

Payload looks… pic.twitter.com/u9XouFlBBg
— JFrog Security (@JFrogSecurity) April 23, 2026

Clean Remediation Already Complete

Bitwarden deprecated the compromised package within hours and released version 2026.4.1 as the clean replacement. If you downloaded CLI version 2026.4.0 that day, uninstall it immediately, clear your NPM cache, and rotate any exposed development secrets. For everyone else using Bitwarden’s standard applications, no action required—your vault encryption never wavered.

Why This Actually Proves Password Managers Work

The real story here isn’t the breach—it’s the response. Bitwarden’s zero-knowledge architecture meant even a supply chain compromise couldn’t touch user vaults. The company detected, contained, and remediated within hours while maintaining full transparency. Compare that to industry breach response times—where attackers often lurk undetected for months—and you’ll understand why security experts still recommend password managers despite incidents like this one.

Share this

You Might Also Like_

Our Editorial Process

At Gadget Review, our guides, reviews, and news are driven by thorough human expertise and use our Trust Rating system and the True Score. AI assists in refining our editorial process, ensuring that every article is engaging, clear and succinct. See how we write our content here →

Join over 100k Readers

Join 100,000+ readers discovering the coolest gadgets, smart buying guides, and the tech news that actually matters.

LATEST Lists_

Why Trust Gadget Review

With over 25 years of experience, our editorial process is built on human expertise, ensuring that every article is reliable and trustworthy. AI helps us shape our content to be as succinct and engaging as possible.

Learn more about our commitment to integrity in our Code of Ethics.