* [Blog](https://origin-researchcenter.paloaltonetworks.com/blog) * [Cloud Security](https://origin-researchcenter.paloaltonetworks.com/blog/cloud-security/) * [Application Security](https://origin-researchcenter.paloaltonetworks.com/blog/cloud-security/category/application-security/) * Bitwarden CLI Impersonati... # Bitwarden CLI Impersonation Attack Steals Cloud Credentials and Spreads Across npm Supply Chains [](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fbitwardencli-supply-chain-attack%2F) [](https://twitter.com/share?text=Bitwarden+CLI+Impersonation+Attack+Steals+Cloud+Credentials+and+Spreads+Across+npm+Supply+Chains&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fbitwardencli-supply-chain-attack%2F) [](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fbitwardencli-supply-chain-attack%2F&title=Bitwarden+CLI+Impersonation+Attack+Steals+Cloud+Credentials+and+Spreads+Across+npm+Supply+Chains&summary=&source=) [](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://origin-researchcenter.paloaltonetworks.com/blog/cloud-security/bitwardencli-supply-chain-attack/&ts=markdown) \[\](mailto:?subject=Bitwarden CLI Impersonation Attack Steals Cloud Credentials and Spreads Across npm Supply Chains) Link copied By [Cameron Hyde](https://www.paloaltonetworks.com/blog/author/cameron-hyde/?ts=markdown "Posts by Cameron Hyde") Apr 24, 2026 5 minutes [Application Security](https://www.paloaltonetworks.com/blog/cloud-security/category/application-security/?ts=markdown) [AppSec](https://www.paloaltonetworks.com/blog/cloud-security/category/appsec/?ts=markdown) [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown) [Supply Chain Security](https://www.paloaltonetworks.com/blog/cloud-security/category/supply-chain-security/?ts=markdown) ## Incident Overview The malicious package @bitwarden/cli@2026.4.0 was published to npm on April 22, 2026, as part of a typosquatting supply chain campaign attributed to TeamPCP (@pcpcats). It targets developer workstations, CI/CD pipelines and cloud provider credentials across AWS, Azure and GCP. The package was downloaded thousands of times before being flagged. Its payload harvests secrets from local filesystems, environment variables, GitHub Actions and cloud secret managers---then self-propagates by backdooring any npm package the victim has permission to publish, exhibiting worm-like behavior. We recommend that all customers immediately check whether @bitwarden/cli appears in any package.json, lockfile or CI/CD workflow, and remove it if found. Additional response steps and Cortex Cloud^TM^ protections are detailed below. ## What Happened? On April 22, 2026, a malicious npm package impersonating the legitimate Bitwarden CLI was published under the scoped name @bitwarden/cli (version 2026.4.0). It is part of a broader, sustained campaign by the threat actor TeamPCP, active since September 2025 and significantly escalated in 2026---spanning npm, Docker Hub, GitHub Actions and VS Code extensions. ### Why Is This Critical? The attack is made critical because of the payload targets: * SSH keys, `.npmrc` tokens, `.env` files, AWS credentials and Git configs * GitHub CLI tokens and npm authentication tokens * AI/MCP configurations (e.g., Claude and Kiro) * GitHub Actions secrets and environment variables * AWS SSM parameters, Azure Key Vault secrets and GCP Secret Manager secrets ## Who Is Affected You may be impacted if your organization: * Installs npm packages in development, build or CI/CD environments * Uses `@bitwarden/cli` or related Bitwarden npm packages (verify version and publisher) * Runs GitHub Actions workflows that install dependencies * Stores secrets in AWS, Azure, GCP or .env files accessible during builds * Publishes npm packages---compromised developers can unknowingly propagate the malware **Warning:** Even if you did not install this package directly, you may still be affected if a transitive dependency was backdoored by a compromised maintainer. [**Read the full breakdown from Unit 42**](http://unit42.paloaltonetworks.com/monitoring-npm-supply-chain-attacks)**, including indicators of compromise.** ## Immediate Steps for Security Teams |--------------|-----------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | **Priority** | **Action** | **Description** | | P0 | Search for the package | Search all package.json, package-lock.json, yarn.lock and pnpm-lock.yaml files for @bitwarden/cli, and remove any references to version 2026.4.0. | | P0 | Rotate compromised credentials | If the package was installed, assume all credentials on the affected machine and in CI/CD environments are compromised. Rotate npm tokens, GitHub tokens, cloud credentials (AWS, Azure, GCP), SSH keys, and any secrets stored in .env files. | | P0 | Audit GitHub Actions workflows | Review workflows for injected steps or unexpected uses: entries and inspect recent runs for unusual access to secrets or environment variables. | | P1 | Audit npm publish access | If any affected developer has npm publish permissions, review all maintained packages for unauthorized version changes or malicious postinstall scripts. | | P1 | Block C2 indicators | Block the typosquatted domain and IP across firewall, DNS and proxy layers. | | P2 | Review Docker, VS Code and CI/CD assets | Check for compromised Docker Hub images, VS Code extensions and CI/CD assets that may be pulling in known poisoned npm modules associated with the broader TeamPCP campaign. | | P2 | Monitor GitHub activity | Look for unexpected public repositories created under developer accounts, which may be used for data exfiltration. | ## How Cortex Cloud Protects You Cortex Cloud provides a layered defense against malicious package attacks --- detecting threats at every stage from package publication to runtime execution. |-------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | **Cortex Cloud Capability** | **How It Protects Against This Attack** | | SCA (Software Composition Analysis) | Identifies @bitwarden/cli@2026.4.0 as a known malicious package across repositories, container images, and build artifacts, and flags typosquatting risks and anomalous versions. | | Software Supply Chain Security | Enforces policies that block builds containing malicious packages, and detects suspicious build-time behavior such as unauthorized postinstall scripts or external runtime downloads (e.g., Bun). | | Secrets Detection | Scans repositories, CI/CD configurations and container images for exposed credentials---including .npmrc tokens, cloud keys, GitHub tokens and .env files---targeted for exfiltration. | | IaC Security | Identifies risky changes in GitHub Actions workflows, including injected steps and overly permissive access to secrets introduced during workflow compromise. | | Cortex® XDR (Endpoint Analytics) | Detects anomalous activity on developer endpoints, such as unexpected runtime downloads or large-scale credential harvesting from the filesystem. | | DNS Security | Detects exfiltration of C2 domains, typosquatted domains, and anomalous outbound trafic from build environments. | | Cloud Security Posture (CSPM) | Monitors access to cloud secret stores (AWS, Azure, GCP) and alerts on unusual or unauthorized secret enumeration activity. | | Identity Security (CIEM) | Detects the use of compromised credentials through anomalous access patterns or unexpected locations, enabling post-compromise visibility and response. | Cortex Cloud continuously monitors your dependency tree against updated threat intelligence. When a previously safe package is flagged as malicious, all affected repositories and pipelines are alerted immediately. ## Closing Guidance This attack marks yet another significant escalation in npm supply chain threats. By combining credential harvesting, worm-like propagation and cross-platform distribution (npm, Docker Hub, GitHub Actions and VS Code extensions), the TeamPCP campaign stands out as one of the most sophisticated attacks targeting the JavaScript ecosystem to date. Its self-propagating design means a single compromised developer can unknowingly spread the payload to thousands of downstream consumers. Response speed is critical---rotate credentials, audit dependency trees, and confirm your security tools are actively scanning for this threat. Cortex Cloud customers with SCA, Software Supply Chain Security and Secrets Detection enabled are already protected against known indicators of this campaign. If these capabilities are not yet active in your environment, now is a great time to enable them. ## Learn More [Request a demo](https://start.paloaltonetworks.com/cortex-cloud-appsec-demo.html) to discover how Cortex Cloud can protect your software supply chain. *** ** * ** *** ## Related Blogs ### [Application Security](https://www.paloaltonetworks.com/blog/cloud-security/category/application-security/?ts=markdown), [AppSec](https://www.paloaltonetworks.com/blog/cloud-security/category/appsec/?ts=markdown), [ASPM](https://www.paloaltonetworks.com/blog/cloud-security/category/aspm/?ts=markdown), [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown) [#### Level Up Your AppSec Team with an Agentic Workforce](https://origin-researchcenter.paloaltonetworks.com/blog/cloud-security/cloud-security-appsec-agent-aspm/) ### [Application Security](https://www.paloaltonetworks.com/blog/cloud-security/category/application-security/?ts=markdown), [AppSec](https://www.paloaltonetworks.com/blog/cloud-security/category/appsec/?ts=markdown), [ASPM](https://www.paloaltonetworks.com/blog/cloud-security/category/aspm/?ts=markdown), [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown), [Partners](https://www.paloaltonetworks.com/blog/cloud-security/category/partners/?ts=markdown) [#### Palo Alto Networks and Veracode: Unifying Application Security from Code to Cloud](https://origin-researchcenter.paloaltonetworks.com/blog/cloud-security/application-security-veracode-partnership/) ### [AppSec](https://www.paloaltonetworks.com/blog/cloud-security/category/appsec/?ts=markdown), [Cloud Detection and Response](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-detection-and-response/?ts=markdown), [Cloud Runtime Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-runtime-security/?ts=markdown), [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown), [Supply Chain Security](https://www.paloaltonetworks.com/blog/cloud-security/category/supply-chain-security/?ts=markdown) [#### Shai-Hulud 2.0: How Cortex Helps Protect Against the Resurgent npm Worm](https://origin-researchcenter.paloaltonetworks.com/blog/cloud-security/shai-hulud-2-0-npm-worm-detection-blocking/) ### [Application Security](https://www.paloaltonetworks.com/blog/cloud-security/category/application-security/?ts=markdown), [AppSec](https://www.paloaltonetworks.com/blog/cloud-security/category/appsec/?ts=markdown), [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown), [Partners](https://www.paloaltonetworks.com/blog/cloud-security/category/partners/?ts=markdown) [#### How Cortex Cloud and Semgrep Are Redefining AI-Driven Application Security](https://origin-researchcenter.paloaltonetworks.com/blog/cloud-security/application-security-semgrep-partnership/) ### [AppSec](https://www.paloaltonetworks.com/blog/cloud-security/category/appsec/?ts=markdown), [ASPM](https://www.paloaltonetworks.com/blog/cloud-security/category/aspm/?ts=markdown), [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown), [Code Security](https://www.paloaltonetworks.com/blog/cloud-security/category/code-security/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown), [Research](https://www.paloaltonetworks.com/blog/cloud-security/category/research/?ts=markdown) [#### An Inside Look into ASPM: Five Findings from New Industry Research](https://origin-researchcenter.paloaltonetworks.com/blog/cloud-security/aspm-research-omdia/) ### [AppSec](https://www.paloaltonetworks.com/blog/cloud-security/category/appsec/?ts=markdown), [ASPM](https://www.paloaltonetworks.com/blog/cloud-security/category/aspm/?ts=markdown), [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown), [CNAPP](https://www.paloaltonetworks.com/blog/cloud-security/category/cnapp/?ts=markdown), [Code to Cloud to SOC](https://www.paloaltonetworks.com/blog/cloud-security/category/code-to-cloud-to-soc/?ts=markdown) [#### AI-Powered Cloud Security That Sees Everything and Fixes It Faster](https://origin-researchcenter.paloaltonetworks.com/blog/cloud-security/ai-powered-cloud-security-cortex-cloud-2-0/) ### Subscribe to Cloud Security Blogs! Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more. ![spinner](https://origin-researchcenter.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up Please enter a valid email. By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder. This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply. {#footer} {#footer} ## Products and Services * [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown) * [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown) * [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown) * [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown) * [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown) * [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown) * [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown) * [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown) * [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown) * [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown) * [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown) * [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown) * [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown) * [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown) * [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown) * [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown) * [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown) * [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown) * [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown) * [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown) * [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown) * [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown) * [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown) * [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown) * [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown) * [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown) * [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown) * [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown) * [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown) * [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown) * [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown) * [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown) * [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown) * [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown) * [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown) * [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown) * [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown) * [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown) * [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown) ## Company * [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown) * [Careers](https://jobs.paloaltonetworks.com/en/) * [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) * [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown) * [Customers](https://www.paloaltonetworks.com/customers?ts=markdown) * [Investor Relations](https://investors.paloaltonetworks.com/) * [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown) * [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown) ## Popular Links * [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown) * [Communities](https://www.paloaltonetworks.com/communities?ts=markdown) * [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown) * [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown) * [Event Center](https://events.paloaltonetworks.com/) * [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center) * [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown) * [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown) * [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown) * [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown) * [Tech Docs](https://docs.paloaltonetworks.com/) * [Unit 42](https://unit42.paloaltonetworks.com/) * [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd) ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg) * [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown) * [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown) * [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) * [Documents](https://www.paloaltonetworks.com/legal?ts=markdown) Copyright © 2026 Palo Alto Networks. All Rights Reserved * [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks) * [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown) * [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/) * [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks) * [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks) * EN Select your language