Incident Overview
The malicious package @bitwarden/cli@2026.4.0 was published to npm on April 22, 2026, as part of a typosquatting supply chain campaign attributed to TeamPCP (@pcpcats). It targets developer workstations, CI/CD pipelines and cloud provider credentials across AWS, Azure and GCP.
The package was downloaded thousands of times before being flagged. Its payload harvests secrets from local filesystems, environment variables, GitHub Actions and cloud secret managers—then self-propagates by backdooring any npm package the victim has permission to publish, exhibiting worm-like behavior.
We recommend that all customers immediately check whether @bitwarden/cli appears in any package.json, lockfile or CI/CD workflow, and remove it if found.
Additional response steps and Cortex CloudTM protections are detailed below.
What Happened?
On April 22, 2026, a malicious npm package impersonating the legitimate Bitwarden CLI was published under the scoped name @bitwarden/cli (version 2026.4.0). It is part of a broader, sustained campaign by the threat actor TeamPCP, active since September 2025 and significantly escalated in 2026—spanning npm, Docker Hub, GitHub Actions and VS Code extensions.
Why Is This Critical?
The attack is made critical because of the payload targets:
- SSH keys,
.npmrctokens,.envfiles, AWS credentials and Git configs - GitHub CLI tokens and npm authentication tokens
- AI/MCP configurations (e.g., Claude and Kiro)
- GitHub Actions secrets and environment variables
- AWS SSM parameters, Azure Key Vault secrets and GCP Secret Manager secrets
Who Is Affected
You may be impacted if your organization:
- Installs npm packages in development, build or CI/CD environments
- Uses
@bitwarden/clior related Bitwarden npm packages (verify version and publisher) - Runs GitHub Actions workflows that install dependencies
- Stores secrets in AWS, Azure, GCP or .env files accessible during builds
- Publishes npm packages—compromised developers can unknowingly propagate the malware
Warning: Even if you did not install this package directly, you may still be affected if a transitive dependency was backdoored by a compromised maintainer.
Read the full breakdown from Unit 42, including indicators of compromise.
Immediate Steps for Security Teams
| Priority | Action | Description |
| P0 | Search for the package | Search all package.json, package-lock.json, yarn.lock and pnpm-lock.yaml files for @bitwarden/cli, and remove any references to version 2026.4.0. |
| P0 | Rotate compromised credentials | If the package was installed, assume all credentials on the affected machine and in CI/CD environments are compromised. Rotate npm tokens, GitHub tokens, cloud credentials (AWS, Azure, GCP), SSH keys, and any secrets stored in .env files. |
| P0 | Audit GitHub Actions workflows | Review workflows for injected steps or unexpected uses: entries and inspect recent runs for unusual access to secrets or environment variables. |
| P1 | Audit npm publish access | If any affected developer has npm publish permissions, review all maintained packages for unauthorized version changes or malicious postinstall scripts. |
| P1 | Block C2 indicators | Block the typosquatted domain and IP across firewall, DNS and proxy layers. |
| P2 | Review Docker, VS Code and CI/CD assets | Check for compromised Docker Hub images, VS Code extensions and CI/CD assets that may be pulling in known poisoned npm modules associated with the broader TeamPCP campaign. |
| P2 | Monitor GitHub activity | Look for unexpected public repositories created under developer accounts, which may be used for data exfiltration. |
How Cortex Cloud Protects You
Cortex Cloud provides a layered defense against malicious package attacks — detecting threats at every stage from package publication to runtime execution.
| Cortex Cloud Capability | How It Protects Against This Attack |
| SCA (Software Composition Analysis) | Identifies @bitwarden/cli@2026.4.0 as a known malicious package across repositories, container images, and build artifacts, and flags typosquatting risks and anomalous versions. |
| Software Supply Chain Security | Enforces policies that block builds containing malicious packages, and detects suspicious build-time behavior such as unauthorized postinstall scripts or external runtime downloads (e.g., Bun). |
| Secrets Detection | Scans repositories, CI/CD configurations and container images for exposed credentials—including .npmrc tokens, cloud keys, GitHub tokens and .env files—targeted for exfiltration. |
| IaC Security | Identifies risky changes in GitHub Actions workflows, including injected steps and overly permissive access to secrets introduced during workflow compromise. |
| Cortex® XDR (Endpoint Analytics) | Detects anomalous activity on developer endpoints, such as unexpected runtime downloads or large-scale credential harvesting from the filesystem. |
| DNS Security | Detects exfiltration of C2 domains, typosquatted domains, and anomalous outbound trafic from build environments. |
| Cloud Security Posture (CSPM) | Monitors access to cloud secret stores (AWS, Azure, GCP) and alerts on unusual or unauthorized secret enumeration activity. |
| Identity Security (CIEM) | Detects the use of compromised credentials through anomalous access patterns or unexpected locations, enabling post-compromise visibility and response. |
Cortex Cloud continuously monitors your dependency tree against updated threat intelligence.
When a previously safe package is flagged as malicious, all affected repositories and pipelines are alerted immediately.
Closing Guidance
This attack marks yet another significant escalation in npm supply chain threats. By combining credential harvesting, worm-like propagation and cross-platform distribution (npm, Docker Hub, GitHub Actions and VS Code extensions), the TeamPCP campaign stands out as one of the most sophisticated attacks targeting the JavaScript ecosystem to date.
Its self-propagating design means a single compromised developer can unknowingly spread the payload to thousands of downstream consumers. Response speed is critical—rotate credentials, audit dependency trees, and confirm your security tools are actively scanning for this threat.
Cortex Cloud customers with SCA, Software Supply Chain Security and Secrets Detection enabled are already protected against known indicators of this campaign. If these capabilities are not yet active in your environment, now is a great time to enable them.
Learn More
Request a demo to discover how Cortex Cloud can protect your software supply chain.