vibe-coding supply-chain security bitwarden npm

Bitwarden CLI Got Hijacked to Hunt Your AI Coding Credentials

Your Password Manager Was the Attack Vector

On April 22nd, somebody popped the Bitwarden CLI npm package. For roughly ninety minutes, version 2026.4.0 of @bitwarden/cli shipped with a payload that did exactly what a password manager should never do: it harvested your secrets and sent them somewhere else.

The attack came through a compromised GitHub Actions workflow — part of an ongoing campaign by a threat actor called TeamPCP, the same crew behind the Trivy and LiteLLM supply chain hits. They didn’t need to find a zero-day. They just needed one weak link in the CI pipeline.

The Malware Had a Shopping List

Here’s where it gets interesting for anyone who vibe codes. The payload wasn’t just grabbing the usual targets — AWS keys, GitHub tokens, SSH credentials. It had a dedicated module that specifically hunted for authenticated AI coding assistant credentials.

Claude, Cursor, Codex CLI, MCP agent configs — the malware went after all of it. It scraped API keys from AI tool configuration files, grabbed Git credentials, raided cloud tokens across AWS and GCP, and rifled through npm auth tokens. Six distinct secret surfaces, all vacuumed up in one pass.

It also included a self-propagating npm worm. If you had publishing rights to any npm packages, the malware used your stolen token to republish those packages with itself injected. Think about that for a second. One infected developer could silently poison every package they maintain.

Why AI Credentials Are the New Crown Jewels

This is the part that should keep vibe coders up at night. Your AI coding credentials aren’t just API keys — they’re keys to agents that can read your codebase, execute shell commands, and push code to production. An attacker with your Claude Code or Cursor credentials doesn’t just get access to a chatbot. They get access to an autonomous system that can already do everything you can do.

The supply chain attack surface has evolved. It’s no longer just about stealing your deploy keys. It’s about stealing the keys to the thing that writes and deploys your code for you. TeamPCP clearly understood this — the AI credential harvester wasn’t an afterthought, it was a feature.

The Damage Was Limited. The Lesson Wasn’t.

Bitwarden says 334 downloads happened during the 90-minute window. They pulled the package, rotated credentials, and confirmed no vault data was compromised. The malware also had a kill switch — it wouldn’t execute on machines configured with the Russian language. Make of that what you will.

But “only 334 downloads” is cold comfort when you consider what those 334 machines could access. Every stolen npm token is a potential vector for poisoning downstream packages. Every stolen AI credential is a potential vector for injecting malicious code through an agent that already has your trust.

What You Should Actually Do

If you installed @bitwarden/cli version 2026.4.0 on April 22nd, rotate everything. Not just your Bitwarden credentials — your AI tool API keys, your npm tokens, your cloud credentials, your SSH keys. All of it.

For the rest of us, this is a reminder that your dependency chain is your attack surface. Every npm install is an act of trust. Lock your versions. Audit your CI pipelines. And maybe stop assuming that the tool you use to protect your credentials can’t be the thing that leaks them.

The vibe coding stack keeps growing, and every new tool is another node in the dependency graph that someone can compromise. Your AI coding assistant is only as secure as the weakest package in your node_modules. Right now, that bar is underground.

← Back to all posts