Bitwarden CLI compromised in ongoing Checkmarx supply chain campaign

xmorse 12 hours ago|

I am working on a project you can self host on Cloudflare with one command, to store secrets and passwords there. It has a cli similar to doppler

https://github.com/remorses/sigillo

Scene_Cast2 13 hours ago||

I recently had to disable their Chrome extension because it made the browser grind to a halt (spammed mojo IPC messages to the main thread according to a profiler). I wasn't the only one affected, going by the recent extension reviews. I wonder if it's related.

bstsb 13 hours ago|

> CLI builds were affected [...]

> Bitwarden’s Chrome extension, MCP server, and other legitimate distributions have not been affected yet.

citizen4902 13 hours ago||

Bitwarden statement - https://community.bitwarden.com/t/bitwarden-statement-on-che...

archargelod 4 hours ago||

That's why I don't use any third-party password managers. You have to trust them not to fuck up security, updates, backups, etc. etc.

I wrote my own password generator - it's stateless, which has the advantage that I never have to back up or sync any data between devices. It just lets you enter a very long, secure master password, service name and a username then runs an scrypt hash on this with good enough parameters to make brute-force attacks unfeasible.

For anything important, I also use 2FA.

ozgrakkurt 12 hours ago||

Their website is also incredibly bad. I am not paying for it so it might be better for paying users.

It is mind boggling how an app that just lists a bunch of items can be so bloated.

tracker1 13 hours ago||

I was literally thinking about installing the cli a few days ago to ease the use in a few places. Now I'm glad I didn't.

0xbadcafebee 11 hours ago|

This will continue to happen more and more, until legislation is passed to require a software building code.