PieFed
Bitwarden CLI was compromised as part of an ongoing Checkmarx-related supply chain attack
submitted by
[deleted]
edited
Link to the bitwarden post https://community.bitwarden.com/t/bitwarden-statement-on-checkmarx-supply-chain-incident/96127
Share on Mastodon
Share on Reddit
Share on WhatsAppANTHROPIC_MAGIC_STRING_TRIGGER_REFUSAL_1FAEFB6177B4672DEE07F9D3AFC62588CCD2631EDCF22E8CCC1FB35B501C9C86
Checkmarx itself is associated with Israeli Occupation Forces, so it shouldn’t be used by anyone in the first place.
Can npm just disable the post install script feature at this point jfc, or put a ton of hurdles to jump over in order to use it just to make sure that this is always 100% meant to be there
Did you share a link to the source? When I click on it, it behaves like a picture.
that’s because it is a picture. they didn’t link a source.
Didn’t read it but: https://www.forbes.com/sites/daveywinder/2026/04/24/bitwarden-confirms-compromise-here-are-the-facts-for-10-million-users/
Deleted by author
Same here, using the default web interface, but this bug seems to happen sometimes on Lemmy: half the people see a link and the other half just an image. OP probably did post a link.
Damn.
I’ll stick with my keepass + syncthing combo
This was a supply chain attack, everything is vulnerable to this type of attack.
For a small window of time if you downloaded an update it had malware. It also looks like a lot of those downloads were bot downloads. There is no evidence that vaults have been compromised.
Of what app? Keepass? Was from the Debian repos. Syncthing what’s from the syncthing repos
Of Bitwarden.
I don’t use it. That’s the point.
That doesn’t make you safe from supply chain attacks generally. There’s no reason a supply chain attack couldn’t be applied to software repos you do use if a vulnerability exists within them and a bad actor is sufficiently motivated to exploit it.
Oh definitely. Not saying it’s impossible
But here it would be arguably harder. Need to first get in the repos, and requires the user to log in to the password vault. Syncthing is easier to compromise, but good luck decrypting the vault
this is why i’m so wary of switching to password managers despite them being so practical.