The advice has been clear from security experts for the longest time: use a password manager. And that advice still stands, despite the news that one of the leaders in the market, Bitwarden, has confirmed a serious security incident that led to a compromised product being released for a short period of time. If installed, the malicious Bitwarden CLI Node Package Manager product included a credential-stealing payload. Bitwarden is the latest in a line of npm package supply chain compromises, but for the vast majority of Bitwarden password manager users, the sky has not fallen, and there is no need for panic.

The Truth About The Bitwarden Attack

Despite the, perhaps inevitable, manic response on social media platforms to the news that Bitwarden had confirmed a security incident, the actual facts of the matter are that, while obviously very serious, this is not the end of the password manager, and the vast majority of users do not need to actually do anything in response. This is, in no way, downplaying the impact that any security incident has on the trust of its users when password managers are concerned. However,while this is not another phishing attack targeting password manager users , it is far worse than that, it is important not to get carried away and to focus on the facts.

Firstly, this incident affected only users of the Bitwarden CLI product, not the password manager app itself. This is the command-line interface, the terminal version of Bitwarden. Already, the number of users has dropped very dramatically from the estimated 10 million who use the main product. While I was unable to gather any official statistics, Bitwarden CLI npm package has around 250,000 downloads monthly, according to an OX Security analysis.

That’s still a considerable number, so let’s introduce fact number two: Bitwarden has confirmed in a statement that it had “identified and contained a malicious package that was briefly distributed through the npm delivery path for @bitwarden/cli@2026.4.0 between 5:57 PM and 7:30 PM (ET) on April 22, 2026, in connection with a broader Checkmarx supply chain incident.” To put that into further context, according to a moderator of the Bitwarden community forum, “it seems that only 334 Bitwarden users downloaded the malicious version of the CLI,” during the time it was available.

A Bitwarden spokesperson said: “The investigation found no evidence that end-user vault data was accessed or at risk, or that production data or production systems were compromised. Once the issue was detected, compromised access was revoked, the malicious npm release was deprecated, and remediation steps were initiated immediately. The issue affected the npm distribution mechanism for the CLI during that limited window, not the integrity of the legitimate Bitwarden CLI codebase or stored vault data.”

If you were not among the few hundred to have downloaded the package, then you can relax, your passwords are safe. If you did, however, then Bitwarden recommends you uninstall Bitwarden CLI 2026.4.0 via npm, clear the npm cache, disable npm install scripts during cleanup as a precaution, rotate any secrets that may have been exposed on the affected system or stored in environment variables including API tokens and SSH keys, and finally install Bitwarden CLI 2026.4.1