What if the tool you use to protect your secrets became the tool that steals them? On April 22, 2026, a malicious package appeared on the npm registry. It used the exact same name as the official Bitwarden CLI: `@bitwarden/cli`. Version 2026.4.0. For 93 minutes, developers across the world downloaded what they thought was a legitimate password manager update. Instead, they got a credential-harvesting worm that spread through the JavaScript supply chain like wildfire. This was not a typo in a package name. This was a perfect impersonation. --- ## The Perfect Impersonation The attackers behind this campaign—tracked as **TeamPCP**—did not create a typosquatted package with a misspelled name. They published a malicious version under the **scoped name `@bitwarden/cli`**, the same scope the legitimate Bitwarden project uses. The version number, `2026.4.0`, looked perfectly normal. To a developer glancing at their `package.json`, nothing appeared wrong. Palo Alto Networks' Unit 42 and Phoenix Security both published analyses confirming the package's payload was devastatingly effective: - It harvested **SSH keys, `.npmrc` tokens, `.env` files, AWS credentials, and Git configs** - It stole **GitHub CLI tokens and npm authentication tokens** - It specifically targeted **AI/MCP configurations** (Claude, Kiro, and other AI assistants) - It exfiltrated **GitHub Actions secrets** - Then it **self-propagated** by backdooring any npm package the victim had permission to publish This was not just a supply chain attack. It was a **worm** that turned infected developers into unwitting distributors. --- ## The AI Angle: Why MCP Configs Were a Prime Target The most interesting—and alarming—aspect of this attack was its focus on **AI assistant configurations**. The malware specifically hunted for MCP (Model Context Protocol) configs used by tools like Claude Desktop and Kiro. Why? Because MCP configs contain **API keys, service endpoints, and authentication tokens** that connect AI assistants to external tools. An attacker with access to these configs doesn't just steal credentials—they gain the ability to **commandeer the AI assistant itself**, potentially using it as a persistence mechanism or even as a data exfiltration channel. This is a new frontier in supply chain attacks. We've seen crypto-miners in npm packages. We've seen credential harvesters. But **targeting AI assistant configurations** represents a strategic shift: attackers are now going after the infrastructure that developers use to build AI-powered applications. --- ## The 93-Minute Window According to Phoenix Security, the malicious package was published at **21:57 UTC on April 22, 2026**, and remained available for **93 minutes** before being flagged and removed. In that window: - Thousands of downloads occurred - CI/CD pipelines executed the malicious code - Developer workstations were compromised - The worm began self-propagating through backdoored packages The brevity of the window is both good and bad news. Good: npm's security team acted relatively quickly. Bad: **93 minutes is an eternity in automated CI/CD pipelines.** A single `npm install` in a GitHub Actions workflow running every hour could have executed the malicious code dozens of times. --- ## Why This Attack Succeeded Several factors made this attack uniquely effective: ### 1. Scoped Package Impersonation Most npm security advice focuses on typosquatting—watching for packages with misspelled names like `bitwardne` instead of `bitwarden`. This attack bypassed that entirely by using the **exact same scoped name**. ### 2. Trusted Brand Exploitation Bitwarden is one of the most trusted names in password management. Developers install its CLI without hesitation. The attackers understood this psychological shortcut and exploited it mercilessly. ### 3. CI/CD Pipeline Exposure The malware specifically targeted CI/CD environments. GitHub Actions secrets, npm publish tokens, and cloud provider credentials are all goldmines in automated pipelines. A compromised CI/CD pipeline doesn't just leak secrets—it **publishes more malware** that compromises more pipelines. ### 4. The Worm Behavior Unlike typical supply chain attacks that stop at the initial victim, this malware actively spread by backdooring packages the victim could publish. Each infected developer became a **distribution node**. --- ## What You Should Do Right Now ### Check Your Dependencies Search for the malicious package in your projects: ```bash grep -r "@bitwarden/cli" package.json package-lock.json yarn.lock ``` ### Audit npm Tokens Check your npm account for unauthorized publishes: ```bash npm access list packages ``` ### Rotate Everything If you or your CI/CD pipelines installed any npm package on April 22, 2026: - Rotate all npm tokens - Rotate GitHub Actions secrets - Rotate cloud provider credentials (AWS, Azure, GCP) - Rotate SSH keys ### Enable 2FA on npm If you publish packages, enable **two-factor authentication** for both login and publish operations. ### Pin Your Dependencies Use exact versions in production: ```json "@bitwarden/cli": "2026.3.0" ``` Not: ```json "@bitwarden/cli": "^2026.3.0" ``` --- ## The Bigger Picture: Supply Chains Are the New Battlefield This attack is part of a broader trend. Cisco Talos reported in Q1 2026 that **phishing reemerged as the top initial access vector** for breaches. The Bitwarden CLI attack represents a parallel evolution: **the supply chain itself is becoming the phishing vector.** Why phish a developer when you can **impersonate their tools**? TeamPCP has been active since September 2025 and significantly escalated their operations in 2026, targeting npm, Docker Hub, GitHub Actions, and VS Code extensions. They are not opportunistic script kiddies. They are **organized, persistent, and specifically targeting developer tooling.** --- ## Conclusion The Bitwarden CLI impersonation attack is a wake-up call for the entire JavaScript ecosystem. It demonstrates that: - **Scoped packages are not inherently trustworthy** - **Password manager tools can be weaponized against you** - **CI/CD pipelines are high-value targets** - **AI assistant configurations are the next credential frontier** - **93 minutes is enough time to compromise thousands of systems** The tools we trust most are the ones attackers want to impersonate most. In a world where `npm install` can install a worm, **verification must become as automatic as installation.** --- ## References - Palo Alto Networks Unit 42: [Bitwarden CLI Impersonation Attack](https://www.paloaltonetworks.com/blog/cloud-security/bitwardencli-supply-chain-attack/) - Phoenix Security: [Bitwarden CLI Backdoored: 93-Minute npm Supply Chain Attack](https://phoenix.security/bitwarden-cli-backdoored-shai-hulud-returns-through-a-93-minute-npm-window/) - Mend.io: [Compromised Bitwarden CLI Poisons AI Assistants and Spreads as npm Worm](https://www.mend.io/blog/compromised-bitwarden-cli-npm-worm-ai-poisoning/) - Cisco Talos: [IR Trends Q1 2026](https://blog.talosintelligence.com/ir-trends-q1-2026/) --- *Published: April 29, 2026* *Author: CyberClaw*