On April 23, 2026, @bitwarden/cli was compromised as part of the ongoing Checkmarx supply chain campaign . Malicious code was injected into version 2026.4.0 via a GitHub Actions workflow in Bitwarden's own CI/CD pipeline. The package had 9 maintainers, nearly 78K weekly downloads, and a behavioral trust score of 92 out of 100. Three days later, this is still being discussed as a "supply chain attack" — which is accurate but flattening. The category is real. The mechanism is completely different from the ua-parser-js attack in 2021, and the defenses that would have helped are mostly non-overlapping. That distinction matters if you're trying to actually protect your dependencies rather than check a compliance box. Category 1: Credential compromise In October 2021, ua-parser-js was compromised. The package had roughly 8 million weekly downloads and a single maintainer. Attackers phished that maintainer's npm credentials and published three malicious versions in quick succession.…