607
Bitwarden CLI distributed through NPM has been compromised. Bitwarden Statement on Checkmarx Supply Chain Incident.
(community.bitwarden.com)
this post was submitted on 23 Apr 2026
607 points (99.7% liked)
Selfhosted
58738 readers
1270 users here now
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
-
No low-effort posts. This is subjective and will largely be determined by the community member reports.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Npm probably has the biggest attack surface and many of the libraries hosted there are in extremely widespread use. They've taken some steps to mitigate these supply chain attacks, but as we've seen with more recent examples, it's unrealistic to think they can be prevented completely. Most of these attacks use stolen developer credentials, which invalidates almost all potential security measures on the registry side and the best you can hope for is catching a malicious package quickly. To be clear: I think the JS ecosystem is uniquely positioned to be the prime target of supply chain attacks and while that doesn't excuse the slow implementation of security measures from the npm team, the people arguing that other package managers and registries aren't vulnerable to this have to be huffing fumes.
That’s fair, I won’t pretend pypi/pip and running uvx is much safer than npx.
But why hasn’t JavaScript established a defacto stdlib to replace ask the left pads and is even type packages?
I’ve taken a near zero dependency policy on my personal projects regardless, and now I run most code in containers to sandbox it.
If you're asking why there isn't one shipped with JS, the answer is because JS is built for the web, and the "don't break the web" rule makes changing things in JS hard, as well as browser devs pushing back hard on anything that increases install size.
If you're asking why as a community, we haven't agreed on a single package to be a stdlib - lodash.
I'm guessing things were working out pretty alright, even with the insane amount of dependencies per project. The awareness and the increasing frequency of supply chain attacks is relatively recent for npm. But who knows, maybe the tech giants in control of the web standards are happy to keep using their own vendored registries.