By Bitwarden’s CLI tool was compromised for 93 minutes yesterday, marking the first time an npm package using trusted publishing was bypassed through a GitHub Actions exploit. The malicious version (@bitwarden/cli@2026.4.0) stole developer credentials including GitHub tokens, SSH keys, cloud secrets, and cryptocurrency wallet keys from 334 downloads before detection on April 22, 2026. This is the latest in a wave of supply chain attacks by the TeamPCP threat actor, which has compromised Trivy, Checkmarx, LiteLLM, and axios since March 2026. The attack exposes a fundamental weakness: if the GitHub Actions workflow itself is compromised, trusted publishing offers no protection.
What Was Stolen: Your Secrets, Encrypted and Exfiltrated
The malicious bw1.js file executed via preinstall hook, automatically stealing credentials before installation completed. There was no user interaction, no approval prompt—just automatic execution the moment npm install ran. The stolen data included GitHub and npm tokens, SSH keys, .env files, shell history, cloud credentials for AWS, Azure, and GCP, AI development tool configurations (Claude MCP, Cursor, Aider), and cryptocurrency wallet files (MetaMask, Phantom, Solana, Ethereum).
Data was encrypted with AES-256-GCM and exfiltrated to audit.checkmarx[.]cx, a domain impersonating Checkmarx. GitHub commits served as a fallback exfiltration channel, using Dune-themed repository names—a strangely whimsical touch for credential theft at scale.
Security researcher Adnan Khan noted this is “the first time a package using NPM trusted publishing has been compromised.” That matters. Trusted publishing was supposed to eliminate supply chain risk by removing long-lived tokens. Instead, attackers moved upstream—compromising the GitHub Actions workflow that triggers publishing. The lesson: security layers only work if the foundation is secure.
The 93-Minute Window: Fast Response, Lasting Damage
The compromised package was available from 5:57 PM to 7:30 PM ET on April 22—just 93 minutes. Only 334 users downloaded it. Bitwarden detected the issue, revoked access, deprecated the release, and communicated within that timeframe—one of the fastest supply chain incident responses on record.
Bitwarden confirmed no vault data was accessed and production systems remained secure. CVE-2026-34197 was issued. The company’s response was textbook: rapid detection, immediate containment, transparent communication. Yet 334 developers still got compromised. The axios breach on March 31 lasted 3 hours and hit a package with 100M+ weekly downloads. Speed matters, but preinstall hooks mean damage occurs instantly.
Even perfect incident response can’t prevent initial compromise when malicious code runs automatically. That’s the problem: the architecture enables instant exploitation. Fixing individual incidents won’t fix the system.
The Broader TeamPCP Campaign: When Security Tools Become Weapons
Bitwarden is the fourth major compromise in the TeamPCP campaign. The timeline tells the story: Trivy on March 19, Checkmarx KICS on March 23, LiteLLM on March 24, axios on March 31, and now Bitwarden on April 22. All attacks targeted security and developer tools that run deep in CI/CD pipelines with elevated privileges.
The Trivy compromise (CVE-2026-33634, CVSS 9.4) was particularly severe. A vulnerability scanner—a tool explicitly designed to find security flaws—became the weapon. SANS Institute’s analysis captured the irony: “When the Security Scanner Became the Weapon: Inside the TeamPCP Supply Chain Campaign.” The Trivy incident has even entered an extortion phase, with Vect ransomware targeting compromised environments.
Over 1,000 enterprise SaaS environments are estimated to be affected. This is a coordinated campaign, not random opportunistic attacks. TeamPCP specifically targets tools developers trust for security and automation. The pattern is clear: attackers are moving upstream, compromising the tools that secure other tools.
What Developers Should Do: Hardening CI/CD Pipelines
First, check if you’re affected. If you installed @bitwarden/cli@2026.4.0 between 5:57 and 7:30 PM ET on April 22, rotate all credentials: GitHub tokens, npm tokens, SSH keys, cloud credentials, and crypto wallet keys if applicable. Review GitHub Actions logs for unauthorized workflow modifications.
For immediate hardening, pin GitHub Actions to full commit SHAs instead of tags or branches. Tags can be silently replaced—attackers exploited this in the tj-actions compromise that hit 23,000+ repositories. Use OIDC (OpenID Connect) for package publishing instead of long-lived tokens. Disable npm postinstall scripts globally with npm config set ignore-scripts true—this prevents automatic execution of malicious hooks. Community recommendations include waiting 7-14 days before adopting new packages or major updates, as most malicious packages are detected within days.
GitHub’s 2026 security roadmap introduces dependency locking (pin all dependencies to commit SHAs), a native egress firewall operating at Layer 7 (immutable even with root access), and scoped secrets (explicit scoping, no automatic inheritance). These features enter public preview in 3-6 months, with general availability in 6-9 months. Until then, use available tools: StepSecurity, Socket.dev, and Snyk offer automated CI/CD hardening.
The current CI/CD security model is reactive—detect and respond. GitHub’s roadmap shifts to proactive controls: dependency determinism, network egress boundaries, explicit secret scoping. But these features won’t arrive for months. Harden your pipelines now. The next TeamPCP target could be a tool you use daily.
