Major Security Incidents: Bitwarden Supply Chain Attack, Apple iOS Vulnerability, and Multiple Data Breaches

1 May 2026

Bitwardensupply_chain_attackcybersecuritynpmTeam_PCPAppleCVE-2026-28950iOSFBISignalLovableAIdata_breachAnthropicFranceGitHubMicrosoftCopilotcredentials_theftvulnerability

On April 22, 2026, Bitwarden suffered a software supply chain attack lasting 90 minutes, targeting its npm-distributed CLI version. The attack, linked to Team PCP, exploited a postinstall script to steal credentials, including GitHub/npm tokens, SSH keys, cloud provider secrets (AWS/GCP/Azure), and AI tooling configurations. The payload used an obfuscated JavaScript file executed via the Bun runtime, focusing on developer workstations and CI environments. Apple patched CVE-2026-28950, a vulnerability allowing iOS notifications marked for deletion to be retained, which the FBI had previously exploited to access Signal messages. Lovable, an AI coding platform, leaked user source code and database credentials due to a regression in February 2026, affecting pre-existing projects despite a partial fix in March 2025. Unverified claims surfaced about unauthorized access to Anthropic's cloud-based AI models via third-party employees and enumeration tools. Additionally, 19 million French citizens' ID records were exposed in a government data breach, while GitHub experienced outages affecting merge operations. Microsoft enabled enterprise admins to uninstall Copilot from managed devices.