Bitwarden CLI npm Package Served Malware via Postinstall Hook

Socket researchers identified a malicious npm package impersonating Bitwarden CLI, part of a broader Checkmarx-tracked supply chain campaign. The attack exploits npm's postinstall lifecycle hook to exfiltrate environment variables—where CI/CD pipelines store AWS keys, database credentials, and service tokens—without requiring code execution. This isn't novel technique, but the target is operationally critical: Bitwarden CLI is specifically designed to retrieve secrets in automated pipelines. If your CI/CD pulled `@bitwarden/cli` during the affected window, you may have already leaked credentials. The campaign follows a pattern of typosquatting and namespace confusion targeting security-conscious teams using DevOps tooling. Check your pipeline logs for exact package versions and install timestamps against Socket and Checkmarx advisories. If you can't verify what was installed, treat the environment as compromised. https://socket.dev/blog/bitwarden-cli-compromised