For 93 minutes, installing Bitwarden’s ‘official’ CLI turned laptops into launchpads for hijacking GitHub accounts

On Apr. 22, a malicious version of Bitwarden’s command-line interface appeared on npm under the official package name @bitwarden/cli@2026.4.0. For 93 minutes, anyone who pulled the CLI through npm received a backdoored substitute for the legitimate tool. Bitwarden detected the compromise, removed the package, and issued a statement saying it found no evidence that attackers accessed end-user vault data or compromised…