Bitwarden CLI npm package compromised for 90 minutes

@bitwarden/cli@2026.4.0 sat on npm just long enough to harvest AWS, Azure, GCP, GitHub, and npm tokens plus SSH material and shell history, then self-propagate to every other package the harvested npm tokens could publish to. Entry point: a poisoned checkmarx/ast-github-action in Bitwarden’s CI workflow. Vault data was never at risk; this was a delivery-pipeline compromise.