A 90-Minute Bitwarden npm Backdoor Targeted Your Claude MCP Config
A 90-Minute Bitwarden npm Backdoor Targeted Your Claude MCP Config
Between 5:57 PM and 7:30 PM ET on April 22, a malicious version of @bitwarden/cli@2026.4.0 was live on npm. Ninety minutes. About 334 developers reportedly hit by the broader Checkmarx supply-chain campaign. That's the part that got the headline.
The part that didn't get the headline is the line every solo operator running Claude Code, Codex CLI, Cursor, Aider, or Kiro should read twice: the malware's collectors specifically scanned for ~/.claude/mcp.json and equivalent MCP config files across the AI-coding-tool ecosystem. Researchers are calling it the first analyzed npm compromise that explicitly weaponizes AI coding tooling.
It is not the last.
What actually happened
The malicious @bitwarden/cli@2026.4.0 was published to npm at 5:57 PM ET on April 22 and pulled at 7:30 PM. Payload was in bw1.js. Exfil channel was AES-256-GCM-encrypted to audit.checkmarx[.]cx — a typosquat — with a GitHub repo as fallback. If you npm install'd Bitwarden in that 90-minute window, downgrade to 2026.3.0 or use Bitwarden's signed binaries from their website, and rotate every credential the package could plausibly have touched.
That much is a standard npm supply chain incident report. The interesting part is the collector behavior.
Why "targeted Claude MCP" matters
The collector probed $PATH for claude, gemini, codex, kiro, aider, and opencode. For each binary it found, it then walked the home directory looking for that tool's MCP-related JSON config files and pulled them.
What's in mcp.json? Tool wiring. Server URLs. Auth tokens. And, for many of us, embedded API keys for downstream services. If your mcp.json had a Linear token, a Notion key, a Sentry DSN, or an internal API URL with a baked-in bearer token, that token was in the exfil package.
This is structurally a new threat shape, not just another typosquat. MCP configs are becoming the central credential bundle for solo devs in 2026. They live in your home directory. They're rarely audited. They're trivially parseable JSON. The attacker is no longer hunting for .env files — those are well-defended at this point. They're hunting for mcp.json. Your defensive posture needs to update.
The 20-minute hardening pass
Four steps, do them this week.
Move every secret out of mcp.json. Reference secrets by env var, with the actual values in your OS keychain (macOS Keychain, 1Password CLI, pass) or a secrets manager. The mcp.json itself should contain references, not values. Most MCP servers support this and the README never tells you because the README wants the quickstart to work in 30 seconds.
Audit which MCP servers you actually use. Open your mcp.json and read every entry. For each one, ask: when did I last use this? If it's been a month, delete it. The attack surface scales with the number of wired-in servers. Most solo devs I know have 8–15 MCP servers configured and use 3.
Track your AI tool config directories. Add ~/.claude/, ~/.cursor/, ~/.aider/, and any others you have to a private git repo. Commit weekly. If a malicious tool modifies them, you'll see the diff. This is unsexy and it works.
Subscribe to upstream advisories. GitHub Security Advisories are free per-repo. Subscribe to every package in your package.json that's wired into your AI tooling. If the maintainer ships an advisory at 2 PM, you don't want to learn about it at 11 PM from a tweet.
The package-manager-level question
Should npm install for any package require explicit human approval if the version was published in the last 6 hours?
Bun and pnpm could ship this as a flag in a week. The fact that they haven't, after Shai-Hulud round one in September, round two in March, and now round three with Bitwarden, is the actual story. The structural fix is in package-manager UX, not in solo-dev vigilance. Vigilance doesn't scale and it doesn't survive a tired Tuesday evening when you're pasting an npm install from an LLM-generated README.
Until vendors ship that flag, vigilance is what we have. Annoying, but real.
The honest read
This attack class will keep getting better-targeted. The Bitwarden incident is the proof-of-concept; the next one will be more polished. Expect collectors that specifically read your MCP config, parse the embedded tokens, and pivot into the named services in real time before the package gets pulled. The 90-minute window was a forcing function for the attacker too — they'll work on shrinking the time-from-payload-to-pivot, not just extending it.
If you're a solo dev who lives in Claude Code, you have a credential bundle (mcp.json) that's structurally a higher-value target than your .env ever was. The Bitwarden attack on April 22 was the first one that explicitly knew this. The defensive playbook is specifically a solo-operator playbook — because we're the ones running 8–15 MCP servers without a security team to review the permissions.
Move the secrets out of the config file. Trim the wiring you don't use. Subscribe to advisories. Spend the 20 minutes this week.
The next attack is already in someone's drafts folder.