Embedded Malicious Code Affecting @bitwarden/cli package, versions =2026.4.0

Q: How to fix?

Avoid using all malicious instances of the @bitwarden/cli package.

Threat Intelligence

Attacked

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk IDSNYK-JS-BITWARDENCLI-16150367
published23 Apr 2026
disclosed22 Apr 2026
creditMeitar Palas

Report a new vulnerability Found a mistake?

Introduced: 22 Apr 2026

New Malicious CWE-506 (opens in a new tab)

How to fix?

Avoid using all malicious instances of the @bitwarden/cli package.

Overview

@bitwarden/cli is an A secure and free password manager for all of your devices.

Affected versions of this package are vulnerable to Embedded Malicious Code included in a compromised release that is suspected to be part of the Checkmarx April compromise. The payload is delivered via bw_setup.js and bw1.js and aims to steal GitHub/npm tokens, .ssh, .env, shell history, GitHub Actions, and cloud secrets, then exfiltrates the data to private domains and as GitHub commits.

References

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
None
User Interaction (UI)
None

Confidentiality (VC)
High
Integrity (VI)
High
Availability (VA)
High

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None