For a small window of time if you downloaded an update it had malware. It also looks like a lot of those downloads were bot downloads. There is no evidence that vaults have been compromised.
In a post on X, JFrog said the rogue version of the package “steals GitHub/npm tokens, .ssh, .env, shell history, GitHub Actions and cloud secrets, then exfiltrates the data to private domains and as GitHub commits.”
That doesn’t make you safe from supply chain attacks generally. There’s no reason a supply chain attack couldn’t be applied to software repos you do use if a vulnerability exists within them and a bad actor is sufficiently motivated to exploit it.
But here it would be arguably harder. Need to first get in the repos, and requires the user to log in to the password vault. Syncthing is easier to compromise, but good luck decrypting the vault
Damn.
I’ll stick with my keepass + syncthing combo
This was a supply chain attack, everything is vulnerable to this type of attack.
For a small window of time if you downloaded an update it had malware. It also looks like a lot of those downloads were bot downloads. There is no evidence that vaults have been compromised.
Of what app? Keepass? Was from the Debian repos. Syncthing what’s from the syncthing repos
Of Bitwarden.
I don’t use it. That’s the point.
That doesn’t make you safe from supply chain attacks generally. There’s no reason a supply chain attack couldn’t be applied to software repos you do use if a vulnerability exists within them and a bad actor is sufficiently motivated to exploit it.
Oh definitely. Not saying it’s impossible
But here it would be arguably harder. Need to first get in the repos, and requires the user to log in to the password vault. Syncthing is easier to compromise, but good luck decrypting the vault