🔴 Bitwarden's command-line tool was hijacked to steal credentials from developer machines

If any of your clients use Bitwarden in their development or automation workflows, this one needs attention today.

On April 22, attackers injected malicious code into version 2026.4.0 of the Bitwarden CLI, the command-line version of the password manager used by developers and IT teams in automated pipelines.

The malicious package was live for just 90 minutes, but during that window it silently stole SSH keys, cloud credentials, API tokens, and environment variables from any machine that downloaded it. Then exfiltrated everything to attacker-controlled GitHub repositories. BleepingComputer

Only 334 downloads of the malicious version took place, but as security firm StepSecurity noted, a single compromised developer machine can become a pivot point for a much larger attack. The Hacker News

Bitwarden confirmed that no end-user vault data was affected. The safe version is 2026.4.1. If anyone in your clients’ teams uses the Bitwarden CLI and may have updated on April 22 between 6pm and 7:30pm ET, treat that machine as compromised.

🟡 CISA just flagged actively exploited vulnerabilities in a remote support tool used by MSPs

This one landed on Friday and it’s worth checking first thing this morning.

CISA added two SimpleHelp vulnerabilities to its Known Exploited Vulnerabilities catalog on April 25, setting a federal remediation deadline of May 8. SimpleHelp is a remote support and monitoring tool used by MSPs and IT teams to access client machines. The Hacker News

The more serious of the two flaws allows a low-privileged technician account to generate API keys with admin-level permissions, effectively handing an attacker the keys to the whole system. These vulnerabilities are not new, but active exploitation has now been confirmed.

If you run SimpleHelp, check your version today. Versions 5.5.7 and earlier are vulnerable. The patch has been available since January. But if it hasn’t been applied, this needs to happen now.

🟢 Microsoft's new AI products go live on Friday. Here's what to tell clients

Short one, but timely.

Microsoft 365 E7 and Microsoft Agent 365 will be generally available this Friday, May 1. Agent 365 is positioned as a control plane for observing, governing, and securing AI agents across Microsoft-built, partner-built, and third-party environments. Channel Dive

Or, in plain English… Microsoft is building a dashboard for managing AI agents, and bundling it with Copilot and security tools into the new E7 licence tier. If your clients are already asking about AI agents, or if they’ve been trialling Copilot, this is the conversation to have this week before they hear about it from someone else first.

Microsoft has also expanded Copilot for all CSP promotions, with 30% and 40% discounts available through June 30, 2026.

We’re back in your inbox tomorrow morning. Enjoy your day.