The npm package for Bitwarden CLI was targeted in a supply chain attack, with the malicious version 2026.4.0 being used to steal sensitive information such as developers' npm tokens, SSH keys, and cloud credentials. The attack occurred at 5:57 PM Eastern Time on April 22, 2026, and lasted for about one and a half hours, with the malicious package being removed at 7:30 PM the same day. The malicious package used the bw_setup.js loader to execute the bw1.js script via Bun Runtime to steal data and had the capability to self-propagate. The stolen data was encrypted and uploaded to the victim's public GitHub repository. The attack was attributed to TeamPCP, which injected malicious code through compromised tools. Bitwarden stated that user vault data was not affected and has revoked compromised permissions and abandoned the malicious version. Security agencies recommend that affected developers immediately rotate credentials for their CI/CD pipelines and cloud environments.