Link to the bitwarden post https://community.bitwarden.com/t/bitwarden-statement-on-checkmarx-supply-chain-incident/96127
Checkmarx itself is associated with Israeli Occupation Forces, so it shouldn’t be used by anyone in the first place.
Can npm just disable the post install script feature at this point jfc, or put a ton of hurdles to jump over in order to use it just to make sure that this is always 100% meant to be there
Did you share a link to the source? When I click on it, it behaves like a picture.
that’s because it is a picture. they didn’t link a source.
Same here, using the default web interface, but this bug seems to happen sometimes on Lemmy: half the people see a link and the other half just an image. OP probably did post a link.
I posted a link and upload a picture. But it looks like it change the link to the link of the picture I have changed it now.
So it only affected users of the CLI (Command Line Interface) for a short period of time, which means the vast majority of users are still safe.
according to a moderator of the Bitwarden community forum, “it seems that only 334 Bitwarden users downloaded the malicious version of the CLI,” during the time it was available.
Like most supply chain attacks, it’s targeting developers and other people who use tooling like this rather than Bob and Alice on the street.
Damn.
I’ll stick with my keepass + syncthing combo
This was a supply chain attack, everything is vulnerable to this type of attack.
For a small window of time if you downloaded an update it had malware. It also looks like a lot of those downloads were bot downloads. There is no evidence that vaults have been compromised.
In a post on X, JFrog said the rogue version of the package “steals GitHub/npm tokens, .ssh, .env, shell history, GitHub Actions and cloud secrets, then exfiltrates the data to private domains and as GitHub commits.”
Of what app? Keepass? Was from the Debian repos. Syncthing what’s from the syncthing repos
Of Bitwarden.
I don’t use it. That’s the point.
That doesn’t make you safe from supply chain attacks generally. There’s no reason a supply chain attack couldn’t be applied to software repos you do use if a vulnerability exists within them and a bad actor is sufficiently motivated to exploit it.
Oh definitely. Not saying it’s impossible
But here it would be arguably harder. Need to first get in the repos, and requires the user to log in to the password vault. Syncthing is easier to compromise, but good luck decrypting the vault
