Bitwarden CLI compromised in ongoing Checkmarx supply chain campaign

Posted by tosh 13 hours ago

Bitwarden CLI compromised in ongoing Checkmarx supply chain campaign(socket.dev)

640 points | 315 commentspage 2

wooptoo 11 hours ago|

This is precisely why I don't use BW CLI. Use pass or gopass for all your CLI tokens and sync them via a private git repo.

Keep the password manager as a separate desktop app and turn off auto update.

SV_BubbleTime 9 hours ago|

A supply chain issue that hadn’t happened to BW CLI before is exactly why you use other CLIs that seem to be identically vulnerable to the same issues?

gnfurlong 6 hours ago||

That's just not true.

The original pass is just a single shell script. It's short, pretty easy to read and likely in part because it's so simple, it's also very stable. The only real dependencies are bash, gnupg and optionally git (history/replication). These are most likely already on your machine and whatever channel you're getting them from (ex: distribution package manager) should be much more resilient to supply chain vulnerabilities.

It can also be used with a pgp smartcard (in my case a Yubikey) so all encryption/decryption happens on the smartcard. Every attempt to decrypt a credential requires a physical button press of the yubikey, making it pretty obvious if some malware is trying to dump the contents of the password store.

isatty 11 hours ago||

Writing a cli with JavaScript? No thank you.

zie 11 hours ago|

It's typescript and pretty sure all of the Official Bitwarden clients are written in it.

I wrote a version in Python and then rust back before the official CLI was released. Now you can use https://github.com/doy/rbw instead, much better maintained (since I don't use Bitwarden anymore).

npodbielski 9 hours ago||

What do you use?

zie 9 hours ago||

I have family I need to support, so I use 1password. It also helped that work gives me a 1P family plan free.

The practical differences to me:

    * 1P is aimed at non-tech users more than Bitwarden.
    * 1P lets you easily store things other than just passwords (serial #'s, license info, SSN's, etc) You can in Bitwarden, but it's a little annoying.
    * 1P lets you store SSH keys(by effectively being an ssh-agent): https://developer.1password.com/docs/ssh/

All that said, I still happily recommend BW, especially for people that are cost-conscious, the free BW plan is Good Enough for most everyone.

Security wise, they are equivalent enough to not matter.

Yolopix 5 hours ago||

Bitwarden can also act as an ssh-agent: https://bitwarden.com/help/ssh-agent/

zie 4 hours ago||

Ah, nice!

gchamonlive 3 hours ago||

I am glad I consciously decided not to put 2FA keys when I adopted bitwarden back in 2021, and manage them with Aegis. It was a bit of a hassle to setup backups, but it's good to split your points of failure.

hgoel 11 hours ago||

Does the CLI auto-update?

Edit: The CLI itself apparently does not, which will have limited the damage a bit, but if it's installed as a snap, it might. Incidents like this should hopefully cause a rollback of this dumb system of forcefully and frequently updating people's software without explicit consent.

Also the time range provided in https://community.bitwarden.com/t/bitwarden-statement-on-che... can help with knowing if you were at risk. I only used the CLI once in the morning yesterday (ET), so I might not have been affected?

zie 11 hours ago|

I think you had to have installed the CLI during that time-frame, then ran the brand new installed CLI to be vulnerable.

Assuming you had it already installed, you would be safe.

8cvor6j844qw_d6 9 hours ago||

Narrower blast radius than the 2022 LastPass breach, at least the vaults weren't touched.

boardwaalk 4 hours ago||

I'm just hearing about this attack on Checkmarx.

We recently adopted it at work, and I find the thing to just produce garbage. I've never tuned out noise so quickly.

you have to appreciate the irony of a thing that's supposed to help protect you from vulnerabilities being one.

xtracto 3 hours ago|

I think this is the real news. There seems to be an ongoing attack against Checkmarx.

That thing is expensive as he'll and used by lots of huge corps. I know at least one very large one in Mexico ... where the IT team is pretty useless.

So, I dont doubt the possibility that in the short future we will hear about more hacks.

qux_ca 10 hours ago||

FYI, Raycast users, the bitwarden-cli version used with the bundled bitwarden extension is 2026-03-01, not the compromised one (2026-04-01).

https://github.com/raycast/extensions/blob/6765a533f40ad20cc...

archargelod 3 hours ago||

That's why I don't use any third-party password managers. You have to trust them not to fuck up security, updates, backups, etc. etc.

I wrote my own password generator - it's stateless, which has the advantage that I never have to back up or sync any data between devices. It just lets you enter a very long, secure master password, service name and a username then runs an scrypt hash on this with good enough parameters to make brute-force attacks unfeasible.

For anything important, I also use 2FA.

pievalentin 6 hours ago||

Somehow thats good because the rest of the Bitwarden apps will benefit from the increased tightness of their tooling and ci/cd

More comments...