Bitwarden Statement on Checkmarx Supply Chain Incident
community.bitwarden.com
The Bitwarden security team identified and contained a malicious package that was briefly distributed through the npm delivery path for @bitwarden/[email protected] between 5:57 PM and 7:30 PM (ET) on April 22, 2026, in connection with a broader Checkmarx supply chain incident. The investigation found no evidence that end user vault data was accessed or at risk, or that production data or production systems were compromised. Once the issue was detected, compromised access was revoked, the malicious ...
    • quick_snail@feddit.nlEnglish
      91·
      1 day ago

      A package manager that uses cryptographic signatures. Apt had this since 2005 iirc. Use apt.

        • quick_snail@feddit.nlEnglish
          2·
          22 hours ago

          Packages are reviewed by package maintainers.

          Humans are required to solve a malicious insider. But most supply chain vulns of these shitty software dependency managers were resolved decades ago by freely available cryptography

    • grandma@sh.itjust.worksEnglish
      22·
      1 day ago

      Easy, just vendor all your dependencies! Can’t have a supply chain attack if you are the supply chain.