Bitwarden CLI

registrynpm

package name@bitwarden/cli

maintainerBitwarden

The Bitwarden CLI is the command-line interface for the Bitwarden password manager, used in scripts and CI/CD pipelines to retrieve secrets from a Bitwarden vault. It authenticates to the Bitwarden API using an API key or session token and returns secrets in plaintext for use in shell scripts.

api usage

Checking Bitwarden CLI

@bitwarden/cli 2026.4.0 is a clean version with no known supply chain compromise. The response returns compromised: false with an empty sources array.

bash

curl "https://api.attestd.io/v1/check?product=%40bitwarden%2Fcli&version=2026.4.0" \
  -H "Authorization: Bearer YOUR_API_KEY"

json

{
  "product": "@bitwarden/cli",
  "version": "2026.4.0",
  "supported": true,
  "risk_state": "none",
  "supply_chain": {
    "compromised": false,
    "sources": [],
    "malware_type": null,
    "description": null,
    "advisory_url": null,
    "compromised_at": null,
    "removed_at": null
  },
  "last_updated": "2026-05-01T00:00:00Z"
}

attack surface

Why this package is monitored

Password manager CLI packages are used specifically to retrieve and expose secrets in plaintext for consumption by other tools. A backdoored version can capture all retrieved secrets and the Bitwarden authentication token at the point of retrieval.

Attestd monitors @bitwarden/cli using the following detection sources:

registry

Manually curated advisories in the Attestd registry, verified by a human analyst. Confidence 1.0.

osv

OSV.dev malicious-package advisories with IDs prefixed MAL-. Confidence 0.95.

npm_deprecation

npm package versions with deprecation messages containing targeted attack language such as malicious, backdoor, or compromised. Confidence 0.80.

Supply chain overview All npm packages jsonwebtoken Passport.js Response fields