On April 22, 2026, the official @bitwarden/cli@2026.4.0 npm package was malicious for ~90 minutes. A self-propagating worm exfiltrated AWS, Azure, GCP, GitHub, npm, SSH, and AI tooling credentials from CI runners. Vaults stayed safe. CI tokens did not. Timeline, NHI kill-chain mapping, and a 10-minute checklist to know whether you were affected.
Vercel confirmed an unauthorized-access incident on April 19, 2026 that started in a third-party AI tool, pivoted through Google Workspace, and reached environment variables in a subset of customer projects. The exposure surface is every env var that was not marked sensitive. Here is what is confirmed, what is noise, and what to rotate first.
Secret scanning alert: Resolved. Credential status: Active. Deleting a secret from code is not the same as revoking it. Inside the Zombie Key kill chain.
A .env file pushed to a public GitHub repo is found by attacker bots in 4 minutes. We map the full kill chain — from credential exposure to infrastructure compromise and show how to detect and respond before the damage is done.
Complete guide to git secret scanning tools. Compare TruffleHog, GitGuardian, GitHub Advanced Security, and Cremit. Learn implementation strategies with real CI/CD examples