Threat actor TeamPCP published a malicious version of the @bitwarden/cli npm package (v2026.4.0) on April 22, 2026, targeting CI/CD credential stores including npm tokens, SSH keys, and cloud provider credentials for AWS, Azure, and GCP. A self-propagation mechanism means any developer who installed the package may have unknowingly injected malicious code into downstream packages they control. No CVE has been assigned; severity is assessed as critical based on blast radius and credential exfiltration scope.