Bitwarden CLI was compromised as part of an ongoing Checkmarx-related supply chain attack (alternativeto.net)
from Fedpie@sopuli.xyz to privacy@lemmy.ml on 24 Apr 14:12
https://sopuli.xyz/post/44633979

Link to the bitwarden post community.bitwarden.com/t/…/96127

#privacy

threaded - newest

RustyNova@lemmy.world on 24 Apr 14:16 next collapse

Damn.

I’ll stick with my keepass + syncthing combo

atrielienz@lemmy.world on 24 Apr 14:23 next collapse

For a small window of time if you downloaded an update it had malware. It also looks like a lot of those downloads were bot downloads. There is no evidence that vaults have been compromised.

In a post on X, JFrog said the rogue version of the package “steals GitHub/npm tokens, .ssh, .env, shell history, GitHub Actions and cloud secrets, then exfiltrates the data to private domains and as GitHub commits.”

RustyNova@lemmy.world on 24 Apr 14:30 collapse

Of what app? Keepass? Was from the Debian repos. Syncthing what’s from the syncthing repos

atrielienz@lemmy.world on 24 Apr 14:31 collapse

Of Bitwarden.

RustyNova@lemmy.world on 24 Apr 14:36 collapse

I don’t use it. That’s the point.

quack@lemmy.zip on 24 Apr 15:07 collapse

That doesn’t make you safe from supply chain attacks generally. There’s no reason a supply chain attack couldn’t be applied to software repos you do use if a vulnerability exists within them and a bad actor is sufficiently motivated to exploit it.

RustyNova@lemmy.world on 24 Apr 15:57 collapse

Oh definitely. Not saying it’s impossible

But here it would be arguably harder. Need to first get in the repos, and requires the user to log in to the password vault. Syncthing is easier to compromise, but good luck decrypting the vault

superglue@lemmy.dbzer0.com on 24 Apr 16:31 collapse

This was a supply chain attack, everything is vulnerable to this type of attack.

trevor@lemmy.blahaj.zone on 24 Apr 14:26 next collapse

Checkmarx itself is associated with Israeli Occupation Forces, so it shouldn’t be used by anyone in the first place.

RiQuY@lemmy.zip on 24 Apr 14:26 next collapse

Did you share a link to the source? When I click on it, it behaves like a picture.

Luminous5481@anarchist.nexus on 24 Apr 14:37 next collapse

that’s because it is a picture. they didn’t link a source.

floofloof@lemmy.ca on 24 Apr 14:39 next collapse

Same here, using the default web interface, but this bug seems to happen sometimes on Lemmy: half the people see a link and the other half just an image. OP probably did post a link.

sem@piefed.blahaj.zone on 24 Apr 14:55 next collapse

Didn’t read it but: https://www.forbes.com/sites/daveywinder/2026/04/24/bitwarden-confirms-compromise-here-are-the-facts-for-10-million-users/

Deer_Tito@lemmygrad.ml on 24 Apr 15:09 collapse

So it only affected users of the CLI (Command Line Interface) for a short period of time, which means the vast majority of users are still safe.

according to a moderator of the Bitwarden community forum, “it seems that only 334 Bitwarden users downloaded the malicious version of the CLI,” during the time it was available.

quack@lemmy.zip on 24 Apr 15:15 collapse

Like most supply chain attacks, it’s targeting developers and other people who use tooling like this rather than Bob and Alice on the street.

Fedpie@sopuli.xyz on 24 Apr 18:17 collapse

I posted a link and upload a picture. But it looks like it change the link to the link of the picture I have changed it now.

iByteABit@lemmy.ml on 24 Apr 15:53 next collapse

Can npm just disable the post install script feature at this point jfc, or put a ton of hurdles to jump over in order to use it just to make sure that this is always 100% meant to be there

umbrella@lemmy.ml on 26 Apr 12:18 collapse

this is why i’m so wary of switching to password managers despite them being so practical.