The Bitwarden security team identified and contained a malicious package that was briefly distributed through the npm delivery path for @bitwarden/
[email protected] between 5:57 PM and 7:30 PM (ET) on April 22, 2026, in connection with a broader Checkmarx supply chain incident. The investigation found no evidence that end user vault data was accessed or at risk, or that production data or production systems were compromised. Once the issue was detected, compromised access was revoked, the malicious ...
Everyone should be using minimumReleaseAge (or their package managers equivalent) to block installing recently updated packages.
Doesn’t that cause issues if a backdoor happened a few months ago and you should be updating to a recent fixed version?
we can never win. it’s simply not allowed
Kind of, but if the backdoor is months old some hours don’t seem like they should matter.
It does. Enforcing a minimum package age can be useful for some applications, but the average user isn’t one of them.
Zero day goes brrrr