logoalt Hacker News

Bitwarden CLI compromised in ongoing Checkmarx supply chain campaign

805 pointsby toshyesterday at 2:17 PM384 commentsview on HN

Comments

jeremie_strandyesterday at 6:29 PM

[dead]

gcolellatoday at 12:30 PM

[dead]

Ms-Jtoday at 12:13 AM

[dead]

asxnduyesterday at 3:46 PM

[dead]

ripped_britchesyesterday at 4:28 PM

I have been meaning to move off of Bitwarden. In the past, open source meant more secure. Still could be the case for super important projects, but that is just no longer reality. I’m considering just vibe coding my own, vibe pentesting it, and keeping it private.

rvzyesterday at 3:28 PM

Once again, it is in the NPM ecosystem. OneCLI [0] does not save you either. Happens less with languages that have better standard libraries such as Go.

If you see any package that has hundreds of libraries, that increases the risk of a supply chain attack.

A password manager does not need a CLI tool.

[0] https://news.ycombinator.com/item?id=47585838

show 6 replies