Two Types of npm Supply Chain Attack: What Catches Each

A recent npm supply chain attack on Bitwarden's @bitwarden/cli compromised version 2026.4.0 via a GitHub Actions workflow in their CI/CD pipeline. This is structurally different from the 2021 ua-parser-js attack, which was a credential compromise. The Bitwarden attack highlights the importance of securing the build environment. Developers should be aware of the distinction between these two types of attacks and take steps to protect their dependencies accordingly. This includes monitoring for unusual GitHub Actions workflows and ensuring that their CI/CD pipelines are secure.