Bitwarden CLI Compromised in Ongoing Checkmarx Supply Chain Campaign

The internet’s favorite “type-it-in-the-terminal” crowd woke up to a scare: the Bitwarden command‑line tool (version 2026.4.0) was caught with sneaky code after attackers slipped into a GitHub Action—an automated build script—in Bitwarden’s pipeline. Socket’s researchers say the bad stuff lived in a file called bw1.js and was tied to an ongoing Checkmarx supply chain campaign. Translation: someone tampered with the assembly line for one release and smuggled in malware.

Cue the comments: cynics rolled their eyes—“another day, another supply chain mess”—while worried users asked the only question that matters: “Did they get my passwords?” Others wanted to know if the browser extension or app was affected. So far, the spotlight is on the CLI package only, and it doesn’t auto‑update by itself; Socket says the investigation is ongoing. One user even blasted auto‑updates (like Snap) for potentially making this worse.

Then the drama escalated when a user claimed a harmless‑sounding bw list once spit out everything—including passwords and two‑factor codes—fueling a chorus of “never run CLI near shared screens.” Meme patrol arrived fast: “CI means ‘Compromised Immediately’,” and “GitHub Actions needs an Action to stop Actions.” Meanwhile, calmer heads echoed Socket’s advice: check your logs and rotate secrets if you used the affected version. Receipts: @bitwarden/cli 2026.4.0.