The Bitwarden security team identified and contained a malicious package that was briefly distributed through the npm delivery path for @bitwarden/cli@2026.4.0 between 5:57 PM and 7:30 PM (ET) on April 22, 2026, in connection with a broader Checkmarx supply chain incident. Was I affected? If you use the Bitwarden command line interface and deploy using NPM, and downloaded the CLI between 5:57p ET and 7:30p ET on April 22, 2026, you may be affected. See remediation steps below. If you do not u...
Any security system based on expecting good behavior from people is sure to fail. If NPM has no estructural features to enforce safe behaviors, it is vulnerable by default. As no person using it will apply safe practices unless forced to. Specially if the default, easiest, less friction behavior, is inherently unsafe.
Any security system based on expecting good behavior from people is sure to fail. If NPM has no estructural features to enforce safe behaviors, it is vulnerable by default. As no person using it will apply safe practices unless forced to. Specially if the default, easiest, less friction behavior, is inherently unsafe.
I wouldn’t say pulling in higher versions is unsafe unless an attack like this succeeds. Otherwise it’s only an annoyance.