Bitwarden CLI Pulled Into Ongoing npm Supply Chain Campaign Tracked by Checkmarx

A malicious package impersonating the Bitwarden command-line client has surfaced as the latest artifact in a supply chain campaign that Checkmarx researchers have been tracking across public registries. The attacker is leaning on typosquats and lookalike naming to insert trojanized tooling into developer workflows, where a password-manager CLI is a particularly high-value foothold: it sits in CI runners, dotfiles, and local shells with credentials already in arm’s reach.

The broader campaign follows the now-familiar pattern of rotating package names, short-lived publisher accounts, and staged payloads that fetch second-stage code after install. Bitwarden’s own signed releases are unaffected; the risk is developers who install by name from a registry without pinning to the official vendor or verifying provenance.

Practical mitigations are the boring ones that actually work: pin exact versions, resolve the official package via the vendor’s documented install path rather than search results, audit lockfiles for unfamiliar transitive dependencies, and rotate any secrets a suspect CLI could have touched. Registry-side takedowns will continue to lag publication, so defense has to assume a compromised package will live long enough to run postinstall scripts in at least some environments.