Bitwarden CLI was compromised as part of an ongoing Checkmarx-related supply chain attack

Fedpie@sopuli.xyz · 1 month

Link to the bitwarden post https://community.bitwarden.com/t/bitwarden-statement-on-checkmarx-supply-chain-incident/96127

trevor (he/they)@lemmy.blahaj.zone · 1 month

Checkmarx itself is associated with Israeli Occupation Forces, so it shouldn’t be used by anyone in the first place.

iByteABit@lemmy.ml · 1 month

Can npm just disable the post install script feature at this point jfc, or put a ton of hurdles to jump over in order to use it just to make sure that this is always 100% meant to be there

RiQuY@lemmy.zip · 1 month

Did you share a link to the source? When I click on it, it behaves like a picture.

Luminous5481 "Enemy of the State"@anarchist.nexus · 1 month

that’s because it is a picture. they didn’t link a source.

sem@piefed.blahaj.zone · 1 month

Didn’t read it but: https://www.forbes.com/sites/daveywinder/2026/04/24/bitwarden-confirms-compromise-here-are-the-facts-for-10-million-users/

Deer Tito (She/Her)@lemmygrad.ml · 1 month

So it only affected users of the CLI (Command Line Interface) for a short period of time, which means the vast majority of users are still safe.

according to a moderator of the Bitwarden community forum, “it seems that only 334 Bitwarden users downloaded the malicious version of the CLI,” during the time it was available.

quack@lemmy.zip · 1 month

Like most supply chain attacks, it’s targeting developers and other people who use tooling like this rather than Bob and Alice on the street.

floofloof@lemmy.ca · 1 month

Same here, using the default web interface, but this bug seems to happen sometimes on Lemmy: half the people see a link and the other half just an image. OP probably did post a link.

Fedpie@sopuli.xyz · 25 days

deleted by creator

RustyNova@lemmy.world · 1 month

Damn.

I’ll stick with my keepass + syncthing combo

superglue@lemmy.dbzer0.com · 1 month

This was a supply chain attack, everything is vulnerable to this type of attack.

atrielienz@lemmy.world · 1 month

For a small window of time if you downloaded an update it had malware. It also looks like a lot of those downloads were bot downloads. There is no evidence that vaults have been compromised.

In a post on X, JFrog said the rogue version of the package “steals GitHub/npm tokens, .ssh, .env, shell history, GitHub Actions and cloud secrets, then exfiltrates the data to private domains and as GitHub commits.”

RustyNova@lemmy.world · 1 month

Of what app? Keepass? Was from the Debian repos. Syncthing what’s from the syncthing repos

atrielienz@lemmy.world · 1 month

Of Bitwarden.

RustyNova@lemmy.world · 1 month

I don’t use it. That’s the point.

quack@lemmy.zip · 1 month

That doesn’t make you safe from supply chain attacks generally. There’s no reason a supply chain attack couldn’t be applied to software repos you do use if a vulnerability exists within them and a bad actor is sufficiently motivated to exploit it.

RustyNova@lemmy.world · 1 month

Oh definitely. Not saying it’s impossible

But here it would be arguably harder. Need to first get in the repos, and requires the user to log in to the password vault. Syncthing is easier to compromise, but good luck decrypting the vault

☂️-@lemmy.ml · 1 month

this is why i’m so wary of switching to password managers despite them being so practical.