What’s happened: On Tuesday night, a malicious version of the @bitwarden/cli npm package briefly replaced the real one – roughly a 90-minute window where anyone installing or updating the CLI through npm would get a package that quietly tried to steal SSH keys, cloud credentials, GitHub tokens and more. As reported by BleepingComputer, attackers compromised a GitHub Action inside Bitwarden’s own build pipeline, so the rogue release carried Bitwarden’s legitimate branding. Bitwarden says no end-user vaults were accessed, and a CVE is being issued for the affected 2026.4.0 version.

Why wealth managers should care: The Bitwarden vault itself wasn’t the target – the developer tooling around it was. But that’s the whole point of a supply-chain attack: you don’t break into the castle, you slip something into the plumbing. For a wealth management firm, your exposure isn’t just “do we use Bitwarden’s CLI” – it’s “do any of our suppliers, platforms, integrators or fintech partners use tools that could be poisoned the same way?” Client portals, advice software, tax integrations and custodian APIs all run on stacks full of third-party packages. Under Australia’s Privacy Act and the reforms rolling out through 2026, breaches involving client financial information carry significant penalties and notification obligations.

What to do this week:

1. Ask any internal or outsourced developers whether they installed or updated the Bitwarden CLI between 22 April and now. If yes, rotate any credentials that were on those machines – cloud keys, SSH keys, API tokens.
2. Turn on multi-factor authentication on your password manager master account, and rotate any shared vault items your team used on potentially exposed machines.
3. Pin package versions and require approval before updates in any CI/CD pipeline you run or pay someone to run. That’s how you avoid being an easy second-stage victim.
4. Raise the question with your key technology vendors: what do their supply-chain defences actually look like? Serious providers will welcome the question.

If you want a proper look at where your firm is exposed on supply-chain risk, our team works with wealth management and financial services businesses across Australia to tighten these blind spots before they hurt.