Bitwarden Statement on Checkmarx Supply Chain Incident
community.bitwarden.com
The Bitwarden security team identified and contained a malicious package that was briefly distributed through the npm delivery path for @bitwarden/[email protected] between 5:57 PM and 7:30 PM (ET) on April 22, 2026, in connection with a broader Checkmarx supply chain incident. Was I affected? If you use the Bitwarden command line interface and deploy using NPM, and downloaded the CLI between 5:57p ET and 7:30p ET on April 22, 2026, you may be affected. See remediation steps below. If you do not u...
  • BlackEco@lemmy.blackeco.comEnglish
    1·
    1 month ago

    It has only been available for 2h30 on NPM, so unless you had the misfortune of installing the latest version in this short window, you should be fine. Thankfully people have been able to quickly catch this.

  • Eager Eagle@lemmy.worldEnglish
    1·
    1 month ago

    reposting the tl;dr I wrote from another community…

    Yesterday, for about 1h30min (starting at 5:57pm ET / 21:57 UTC) anyone installing the latest version of the command line interface of bitwarden was installing malware.

    The malware steals GitHub/npm tokens, .ssh, .env, shell history, GitHub Actions and cloud secrets, then exfiltrates the data to private domains and as GitHub commits and doesn’t seem to be targeting Bitwarden specifically, or user vaults.

    There’s no evidence that end user vault data was accessed or at risk, or that production data or production systems were compromised, according to their official statement.

    It seems there were 334 bitwarden CLI downloads in this time period, some or many of which might have been from bots, so this is a higher bound to the number of affected users.

    • Corngood@lemmy.mlEnglish
      0·
      1 month ago

      I really need to figure out a better sandboxing method for shells. It’s crazy to be things where my keys, browser data, shell history are all accessible.

      I do try to use firejail where possible, but it’s quite cumbersome. Every so often I look for tools to help with this, but everything is oriented around making a specific program (e.g. Firefox, steam) work.