Bitwarden CLI Hijacked in npm Supply Chain Attack Linked to TeamPCP & Checkmarx Breach

A malicious Bitwarden CLI npm release (v2026.4.0) circulated for roughly 90 minutes on April 22, 2026; it replaced the legitimate CLI entry points with a Bun runtime loader and an obfuscated infostealer that collected SSH keys, .npmrc, cloud credentials, GitHub tokens, CI/CD secrets, and AI/MCP tooling keys, exfiltrating data to audit.checkmarx.cx (94.154.172.43) using hybrid RSA/AES-GCM encryption and falling back to staged GitHub repositories; researchers attribute the campaign to TeamPCP and link it to a broader Checkmarx supply-chain compromise, while Bitwarden revoked access, deprecated the malicious release, and published remediation guidance including token rotation and network blocks.