The Bitwarden security team identified and contained a malicious package that was briefly distributed through the npm delivery path for @bitwarden/
[email protected] between 5:57 PM and 7:30 PM (ET) on April 22, 2026, in connection with a broader Checkmarx supply chain incident. The investigation found no evidence that end user vault data was accessed or at risk, or that production data or production systems were compromised. Once the issue was detected, compromised access was revoked, the malicious ...
Huh? I have never claimed they are?
In cybersecurity, perfect is not a thing. You can only mitigate risks within a threat model.
To be fair you didn’t say package managers were perfect but you also failed to provide any evidence for your claims that a package manager was more trustworthy than a known software publishers website as a distribution method.
You were given plenty of opportunities to explain yourself and you doubled down with insults and shifting goalposts.
Going by your logic this breach is evidence that package managers should all be avoided.
I also never used insults… maybe you’re recalling the posts where you called me a “clown” and “fuckwit”?
I only stated that there are more security problems for the average user related to: doing a web search, clicking the first link, and executing a basically random binary downloaded from some website, ie the standard way of downloading software on windows; than there is to using a package manager.
I clearly acknowleged that both package managers and the windows method are vulnerable to supply chain attacks.
You just wanted to create an argument, and it’s genuinely hilarious that it’s still in your mind. I had forgotten you existed 😂
You do quite a lot of talking for me and telling me what my position/logic is. It’s almost like you’re arguing with yourself rather than any of the points I’ve stated. Well, enjoy arguing with yourself still, somehow.
If you don’t see calling someone ignorant as an insult then I wish you well in a pub talking to a stranger.
I had a chuckle when I saw NPM yet again because it was one of the examples I used that you failed to address despite totally winning that discussion.
Hopefully manufacturing irrelevant scenarios works out for you in your career.
I absolutely believe you forgot your what, 5 or 6 comments arguing about this, goldfish much?
I’m pretty sure I noted your demonstated lack of reading comprehension, not ignorance. Doesn’t seem to have improved in the last 2 weeks.
That’s ironic.
If you can’t comprehend how site impersonation and search result manipulation aren’t relevant to the actual software vendor getting popped then you have zero comprehension of an actual kill chain.
But sure a package manager is totally safer because you made up an irrelevant scenario!
Nice you went back and checked with how little you cared lol