90 Minutes on the Registry
In June 2026, a malicious package named @bitwarden/cli version 2026.4.0 appeared on npm. It impersonated the official Bitwarden command-line interface — a widely used open-source password manager. The package was live for approximately 90 minutes before npm's security team removed it. In that window, any automated pipeline, CI/CD system, or developer machine that installed or updated @bitwarden/cli could have pulled the compromised version.
The payload was not generic credential theft. It was purpose-built to harvest authentication tokens and configuration files for three specific targets: Claude Code, Cursor, and OpenAI Codex CLI. The attacker was not after database passwords or cloud provider keys. They were after the credentials that control AI coding agents — the tools that read codebases, write code, execute commands, and interact with production infrastructure on behalf of developers.
Why AI Tool Credentials Are High-Value Targets
A compromised Claude Code API key gives an attacker access to an AI agent that can read and write code, execute shell commands, and interact with git repositories. A stolen Cursor session token provides access to the developer's entire workspace context — open files, project structure, terminal history. A Codex CLI credential provides code generation and execution capabilities tied to the developer's OpenAI account and any connected resources.
These are not read-only credentials. AI coding tools operate with broad permissions because their utility depends on it — they need to read code to understand it, write files to implement changes, run commands to test and deploy. An attacker with a valid AI tool credential inherits those permissions. The tool becomes the attack vector and the payload delivery mechanism simultaneously.
The Shift from Infrastructure to Toolchain
Previous supply chain attacks — the IronWorm npm worm, the ua-parser-js incident, the event-stream compromise — targeted infrastructure credentials: AWS keys, database connection strings, SSH private keys. The Bitwarden CLI attack marks a category shift. The attacker treated AI coding tools as the primary target, not a lateral movement path. The credential for Claude Code was the objective, not a stepping stone to something else.
This distinction matters for threat modeling. Organizations that monitor for exfiltration of cloud provider credentials, API keys, and database passwords may not be monitoring for exfiltration of AI tool configuration files. The files targeted — Claude's credential store, Cursor's session data, Codex CLI's authentication tokens — sit in user-level configuration directories that traditional endpoint detection may not flag as sensitive.
90 Minutes Is Enough
The 90-minute window sounds short. It is not. Automated CI/CD pipelines that run npm install on every commit pull the latest version of every dependency. A single commit to any repository listing @bitwarden/cli as a dependency could trigger installation of the malicious version. Dependabot and Renovate — automated dependency update tools — may have created pull requests upgrading to v2026.4.0 during the window. If those PRs were auto-merged, the payload executed in CI without human review.
Endor Labs' analysis of the payload confirmed it searched for credential files in platform-specific default locations — macOS, Linux, and Windows paths for all three AI tools. The harvested credentials were exfiltrated to an external endpoint. The attack was not opportunistic. The attacker knew exactly which files to look for, where each tool stores its credentials, and how to extract them across operating systems.
The Password Manager as Attack Vector
The choice of Bitwarden as the impersonation target adds a layer to the attack. Password managers are security tools — they are installed by security-conscious developers and organizations. A developer who uses Bitwarden CLI is more likely to have credentials worth stealing, including AI tool tokens, than a developer who stores passwords in a browser. The attacker selected an impersonation target that filters for high-value victims by the act of installation itself.
The real @bitwarden/cli package is widely used in CI/CD pipelines for secret retrieval during automated deployments. A compromised version running in CI has access to the pipeline's execution environment — environment variables, mounted secrets, file system access. If the CI environment also has AI tool credentials for automated code review or generation steps, the malicious payload reaches those credentials without any developer interaction.
The Implication for AI-Assisted Development
The supply chain attack surface for AI coding tools is different from traditional development tooling. A compromised IDE plugin affects one developer's editor. A compromised AI tool credential affects every action that tool takes across every project the developer works on. The blast radius scales with the tool's capabilities — and AI coding tools are designed for maximum capability.
Organizations deploying AI coding tools in production need to treat their credentials with the same rigor as cloud provider root keys: short-lived tokens, hardware-bound authentication where available, monitoring for credential file access, and CI/CD pipelines that pin dependency versions rather than pulling latest. The Bitwarden CLI incident lasted 90 minutes. The next one may not be caught as quickly.
