Stop Using Bitwarden CLI. This Secret Leak Is Actually Worse Than You Think

By Andrew · April 25, 2026 · 11 min read

securitycybersecuritydevopsbitwardenprivacyencryption

Editor's Note: This deep dive covers a critical vulnerability targeting infrastructure engineers. Read ad-free on Signal Reads →

I watched my production database credentials scroll past in a terminal window I didn't open.

It was 3:14 AM on Tuesday, March 24, and I was supposedly sleeping while my **Claude 4.6 agent** handled a routine CI/CD migration.

By the time I hit the kill switch on the runner, the secrets for our entire North American cluster were already sitting on a C2 server in Moldova.

The culprit wasn't a weak password or a phished employee. **It was the Bitwarden CLI.**

I’ve spent fifteen years in infrastructure, moving from racking physical servers to managing petabyte-scale k8s clusters.

I’ve always preached that Bitwarden was the "safe" choice for teams who wanted to avoid the enterprise bloat of HashiCorp Vault.

But the **Checkmarx supply chain report** that dropped yesterday just confirmed my worst fears.

If you are still piping secrets from the `bw` command into your scripts or AI agents, you aren't just taking a risk—you’re actively handing the keys to your kingdom to the highest bidder.

The 3 AM Wake-Up Call

The breach happened because I trusted the "Agentic Workflow" hype a little too much.

I was still using the standard user CLI (`bw`) for automation, clinging to old habits even though specialized managers have been the standard for years.

I had given my Claude 4.6 instance permission to use the local terminal to "optimize deployment secrets." It’s a common pattern in 2026: you let the AI manage the mundane task of rotating keys and updating environment variables.

Everything looked fine in the logs until I noticed a tiny, **400ms delay** in every `bw get password` call.

That’s when the realization hit me like a physical blow—a secret-management tool should never be the bottleneck in a script.

When I dug into the `node_modules` of the runner, I found it.

A deep-seated dependency in the Bitwarden CLI had been swapped for a malicious mirror in a classic **dependency poisoning move** that bypassed our internal registry mirrors.

This wasn't a Bitwarden server breach; it was a supply chain execution.

The CLI was literally scraping every secret I requested and "echoing" it to a hidden buffer that was flushed to an external IP every ten minutes.

The Checkmarx Smoking Gun

The Checkmarx report, which is currently tearing through Hacker News, details an ongoing campaign targeting infrastructure engineers specifically.

The attackers aren't going for front-end devs; they are going for the people with `sudo` and `bw` access.

The campaign exploited a vulnerability in the way the Bitwarden CLI handles its **TypeScript dependencies**.

By poisoning a low-level utility library used for terminal formatting, the attackers gained execution rights every time the CLI was initialized.

Because most of us use `bw unlock --passwordenv`, we’ve been feeding the master password directly into a compromised process.

We’ve reached a point where "Zero Knowledge" is a marketing term that doesn't account for the **"last mile" of secret delivery.**

If the tool you use to retrieve the secret is compromised at the binary level, the encryption at rest doesn't matter. The secret is decrypted on *their* terms, not yours.

Why Your AI Agent Is a Security Liability

This is where it gets worse for those of us leaning into the AI revolution. I use Cursor and Claude 4.6 daily to manage infrastructure-as-code, but these tools are **"secret-blind" by design.**

When you run an AI agent that has terminal access, it frequently calls the CLI to resolve environment variables.

In my case, the compromised CLI wasn't just stealing the secrets—it was **injecting subtle "hallucinations" into the command output.**

The malicious package noticed when it was being called by an LLM-based runner. It would occasionally return a slightly modified connection string or a "service account" key that it had created itself.

My AI agent, seeing a valid-looking key, would then proceed to configure our entire staging environment using an **attacker-controlled back door.** I sat there and watched an AI I paid for build a high-speed tunnel for a hacker.

The "Zero-Knowledge" Fallacy

We’ve been lied to about the safety of local CLI tools. We assume that because Bitwarden is open-source and audited, the version running on our machine is inherently trustworthy.

But how many of us actually verify the **checksum of every CLI update** we pull? The Checkmarx campaign proved that our trust in the npm and Cargo ecosystems is a structural weakness.

The Bitwarden CLI relies on hundreds of sub-dependencies. Even if the Bitwarden team is perfect, the maintainer of a small "color-terminal" library might not be.

In 2026, the complexity of our toolchains has outpaced our ability to secure them.

When you pipe `bw get password` into a shell script, you are **trusting every single line of code** in that CLI's dependency tree with your most sensitive data.

Stop Using the CLI for Automation

If you are an infrastructure engineer, I am telling you right now: **Uninstall the Bitwarden CLI from your CI/CD runners.** Move your automation to the Bitwarden Secrets Manager (`bws`) immediately.

I know it’s how we’ve done things for years, and I was lagging behind by not migrating when it launched in 2023.

But the architecture of the standard user CLI is fundamentally broken for the **'Agentic Era' of 2026.**

We need a hard separation between secret storage and secret execution.

I spent the last 48 hours migrating our team to a hardware-backed secret injection system where secrets never touch a CLI buffer or an AI's context window.

Moving Toward "Silent" Infrastructure

The future of DevOps isn't more powerful CLIs; it's the total removal of human-readable secrets from the workflow.

We are moving toward a **"Silent Infrastructure" model** where not even the engineer knows the database password.

I’m currently testing a setup where Claude 4.6 can request "permission to deploy," but it never sees the actual credentials.

Secrets are injected at the kernel level by a hardened security module that only triggers if the binary signature matches our git history.

It’s a massive pain to set up and breaks half of my favorite shortcuts.

But after seeing my secrets leaked in real-time by a typosquatted package, **I would rather have a slow workflow than a stolen company.**

The Reality Check: Who Is Actually Safe?

Let’s be real—most companies won't do this. They will read the Checkmarx report, see that Bitwarden "technically" wasn't at fault, and keep using the CLI because changing it is "too expensive."

But if you’re a senior engineer, your job is to see the train wreck before it happens. This supply chain campaign is just the opening salvo.

With **ChatGPT 5 and Gemini 2.5** making it easier for attackers to generate malicious packages, the problem is going nuclear.

If you stay on the Bitwarden CLI, you are betting your career on the security of 400 anonymous library maintainers. I’m not a gambler; I’m an engineer.

And the **math on that bet just doesn't add up anymore.**

What You Should Do Today

If you’re reading this and feeling that pit in your stomach, here is the immediate checklist to secure your infrastructure:

1. **Audit your dependencies:** Check your `node_modules` and `cargo` caches for any Bitwarden-related packages that don't match official checksums.

2. **Rotate your Master Password:** If you’ve used the CLI in the last 30 days, assume your master password has been logged and compromised.

3. **Switch to Managed Identities:** Use IAM roles and OIDC tokens for AWS or Azure. Stop using static secrets for your AI agents entirely.

4. **Air-gap your AI context:** Never give an LLM agent direct terminal access that has an unlocked vault session active.

The "convenience" of the CLI is exactly what the attackers are counting on. They know we are tired, they know we are busy, and they know we love our automation.

But in 2026, **convenience is the primary vector for exploitation.**

Have you noticed your AI agents trying to "helpfully" access your vault, or have you already moved to hardware-backed secrets?

Let’s figure out a path forward in the comments before the next report drops.