Password manager supply‑chain hack

Bitwarden said attackers slipped malicious code into its command-line interface package and published the tampered versions to npm. (bitwarden.com) The affected releases were versions 2025.1.0, 2025.1.1, and 2025.1.2 of `@bitwarden/cli`, a package developers install from the Node package registry. Bitwarden said the code was removed after the company detected the issue. (bitwarden.com) (npmjs.com) A command-line interface is a text-only tool that lets users log in and pull secrets by typing commands instead of clicking through an app. In this case, Bitwarden said the malicious code could capture credentials entered during certain authentication flows. (bitwarden.com) Bitwarden said the compromise was limited to the CLI package and did not affect its production environment, browser extensions, mobile apps, desktop apps, or web vault. The company also said it had no evidence that encrypted vault data or customer accounts were broadly exposed. (bitwarden.com) (bleepingcomputer.com) The attack did not start inside Bitwarden’s vault service. Bitwarden said the intrusion came through a developer toolchain path, the software assembly line used to build and publish code, which let the attacker alter the package before customers downloaded it. (bitwarden.com) That makes this a supply-chain attack: instead of breaking into every target one by one, the attacker poisons a trusted update channel and waits for users to install it. Security reporting on the incident compared the method to recent compromises that abused build systems and package publishing workflows. (itnews.com.au) (bitdefender.com) Bitwarden told affected users to rotate their master password, rotate any exposed application programming interface keys or secrets handled through the CLI, and update to a clean version. The company also said it invalidated compromised credentials tied to the publishing workflow. (bitwarden.com) The episode landed in a sensitive spot for password managers because their tools sit close to credentials, tokens, and automation scripts. A breach in a developer-facing package can hit engineers and service accounts even when the consumer-facing app remains untouched. (bitwarden.com) (bleepingcomputer.com) Bitwarden said it added hardening steps after the incident, including changes to package publishing and build security. The immediate lesson was narrow but costly: even a trusted password manager can become a delivery vehicle if its software supply chain is compromised. (bitwarden.com)