The Bitwarden security team identified and contained a malicious package that was briefly distributed through the npm delivery path for @bitwarden/cli@2026.4.0 between 5:57 PM and 7:30 PM (ET) on April 22, 2026, in connection with a broader Checkmarx supply chain incident. Was I affected? If you use the Bitwarden command line interface and deploy using NPM, and downloaded the CLI between 5:57p ET and 7:30p ET on April 22, 2026, you may be affected. See remediation steps below. If you do not u...
Humans are required to solve a malicious insider. But most supply chain vulns of these shitty software dependency managers were resolved decades ago by freely available cryptography
What should be used instead?
Easy, just vendor all your dependencies! Can’t have a supply chain attack if you are the supply chain.
A package manager that uses cryptographic signatures. Apt had this since 2005 iirc. Use apt.
Apt is great, but it does not work with every language. As an example, you cannot use apt with maven (java) AFAIK.
Oh boy. Maven is like the only language dependency manager that does signing tho!
You don’t need to use apt for java. Just use maven :)
Haha! Yeah, I don’t even know where to start if I wanted to use apt for this. I’ll stick with Maven for Java.
deleted by creator
Packages are reviewed by package maintainers.
Humans are required to solve a malicious insider. But most supply chain vulns of these shitty software dependency managers were resolved decades ago by freely available cryptography
deleted by creator