The Bitwarden CLI was compromised in an ongoing supply chain campaign by Checkmarx, affecting version 2026.4.0. The malicious code was published in a file named bw1.js and was introduced through a compromised GitHub Action in Bitwarden's CI/CD pipeline. The compromise allows for credential harvesting and supply chain propagation, but Bitwarden's web extension, MCP server, and other distributions were not affected. Users who installed the malicious package are advised to remove it and rotate any exposed credentials.