Bitwarden CLI Npm Package Backdoored for 90 Minutes as Shai-Hulud Worm Resurfaces Through Checkmarx Breach
A malicious build of @bitwarden/cli@2026.4.0 was live on npm for roughly 93 minutes on April 22 after attackers used credentials stolen from Checkmarx to push a self-propagating worm that harvests cloud, Git, and AI tooling credentials.
6 min read3 sources