news.volyx.in

Bitwarden CLI compromised in ongoing Checkmarx supply chain campaign (socket.dev)

872 points by tosh · 83 days ago · 432 comments on HN

Article summary

The Bitwarden CLI was compromised in an ongoing supply chain campaign by Checkmarx, affecting version 2026.4.0. The malicious code was published in a file named bw1.js and was introduced through a compromised GitHub Action in Bitwarden's CI/CD pipeline. The compromise allows for credential harvesting and supply chain propagation, but Bitwarden's web extension, MCP server, and other distributions were not affected. Users who installed the malicious package are advised to remove it and rotate any exposed credentials.

Main themes

  • Supply chain attacks
  • GitHub Actions security
  • Password manager security
  • Credential harvesting
  • CI/CD pipeline security

What commenters say

  • The compromise of the Bitwarden CLI is another example of a supply chain attack involving GitHub Actions, highlighting the need for improved security measures.
  • The article's technical analysis is unclear and does not provide sufficient information about the impact of the compromise on end users.
  • The use of npm packages and GitHub Actions in the Bitwarden CLI is a security risk due to the potential for malicious code injection and credential harvesting.
  • The compromise may not have affected end users who did not install the malicious package through npm, and the risk is limited to those who used the CLI during a specific time frame.
  • The security of password managers is a concern, and the compromise of the Bitwarden CLI highlights the need for careful evaluation of the security risks associated with these tools.
  • The complexity of CORS and dev environments can lead to security vulnerabilities, and proper engineering practices and environments are necessary to prevent these issues.
  • The article's discussion of the compromise is misleading, and the actual risk to users is lower than suggested, with Bitwarden themselves stating that end users were almost never affected.