The Bitwarden security team identified and contained a malicious package that was briefly distributed through the npm delivery path for @bitwarden/
[email protected] between 5:57 PM and 7:30 PM (ET) on April 22, 2026, in connection with a broader Checkmarx supply chain incident. The investigation found no evidence that end user vault data was accessed or at risk, or that production data or production systems were compromised. Once the issue was detected, compromised access was revoked, the malicious ...
If you’re asking why there isn’t one shipped with JS, the answer is because JS is built for the web, and the “don’t break the web” rule makes changing things in JS hard, as well as browser devs pushing back hard on anything that increases install size.
If you’re asking why as a community, we haven’t agreed on a single package to be a stdlib - lodash.