Bitwarden CLI compromised in ongoing Checkmarx supply chain campaign

Posted by tosh 16 hours ago

Bitwarden CLI compromised in ongoing Checkmarx supply chain campaign(socket.dev)

697 points | 342 commentspage 4

hurricanepootis 14 hours ago|

This doesn't affect the web extension, no?

masfuerte 14 hours ago||

> Checkmarx is an information security company specializing in software application security testing and risk management for software supply chains.

The irony! The security "solution" is so often the weak link.

woodruffw 14 hours ago||

The adage that security companies are often worse at software security than the median non-security company continues to hold water.

esafak 14 hours ago||

Last month it was trivy: https://github.com/aquasecurity/trivy/security/advisories/GH...

mey 11 hours ago||

Looks like Bitwarden has a statement here, https://community.bitwarden.com/t/bitwarden-statement-on-che...

nothinkjustai 14 hours ago||

Remember how the White House published that document on memory safe languages? I think it’s time they go one step further and ban new development in JavaScript. Horrible language horrible ecosystem and horrible vulns.

hootz 13 hours ago|

Supply chain attacks aren't exclusive to JS just like malware isn't exclusive to Windows, it's just that JS/Windows is more popular and widespread. Kill JS and you will get supply chain attacks on the next most popular language with package managers. Kill Windows and you will get a flood of Linux/MacOS malware.

mghackerlady 12 hours ago|||

Maybe language based package managers aren't great. Also, npm has design decisions that make it especially prone to supply chain attacks iirc

dnnddidiej 9 hours ago|||

JS apps need more direct dependencies and transitives to do basic things vs. other languages.

DiffTheEnder 14 hours ago||

I wonder if 1Password CLI is a top priority for hackers similarly.

y0ssar1an 12 hours ago|

i'm sure it is, but it's written in Rust so it should be a little harder to pwn

sigmonsays 15 hours ago||

If I run the compromised CLI, do they get all my passwords?

bhouston 14 hours ago||

Exactly, that could widen the blast radius of this particular compromise significantly.

NeckBeardPrince 14 hours ago|||

Read the article

valicord 14 hours ago|||

Where does it answer this question in the article?

rtaylorgarlock 14 hours ago|||

kinda crazy to see this comment required in this particular context, yet here we are

hgoel 14 hours ago||

It's an understandable question, the article reads like an AI generated mess.

ErneX 14 hours ago|||

The article explains what is extracted.

jeroenhd 14 hours ago|||

The article waffles on forever and gives some generic advice.

Meanwhile, Bitwarden themselves state that end users were almost never affected: https://community.bitwarden.com/t/bitwarden-statement-on-che...

You had to install the CLI through NPM at a very short time frame for it to be affected. If you did get infected, you have to assume all secrets on your computer were accessed and that any executable file you had write access to may be backdoored.

valicord 14 hours ago|||

No it doesn't?

ErneX 14 hours ago||

Yes it does, under technical analysis. I don’t want to paste it here when it’s laid out in the article…

hgoel 14 hours ago||

It seems to be describing what the Checkmarx vulnerability allows to be done on a GitHub Actions runner?

kbolino 14 hours ago||

No, at least according to Bitwarden themselves: https://community.bitwarden.com/t/bitwarden-statement-on-che...

raphinou 13 hours ago||

From my understanding the checkmarx attack could have been prevented by the asfaload project I'm working on. See https://github.com/asfaload/asfaload

It is:

- open source

- accountless(keys are identity)

- using a public git backend making it easily auditable

- easy to self host, meaning you can easily deploy it internally

- multisig, meaning event if GitHub account is breached, malevolent artifacts can be detected

- validating a download transparantly to the user, which only requires the download url, contrary to sigstore

y0ssar1an 12 hours ago||

they were cooked the minute they chose to write it in typescript

giantfrog 11 hours ago||

How the hell are most people supposed to balance the risk of not updating software against the risk of updating software?

eranation 11 hours ago||

It's a hard decision, I would say a cooldown by default in the last few months would have prevented more attacks than not upgrading to the latest version due to an immediate RCE, zero-click, EPSS 100%, CVSS 10.0, KEV mentioned Zero Day CVE. But now that the Mythos 90 days disclosure window gets closer, I don't know what tsunami of urgent patches is in our way... it's not an easy problem to solve.

I lean toward cooldown by default, and bypass it when an actual reachable exploitable ZeroDay CVE is released.

progval 8 hours ago||

Use a package repository that fast-tracks security updates, like Debian Stable.

nozzlegear 15 hours ago|

Another day, another supply chain attack involving GitHub Actions.

adityamwagh 14 hours ago||

GitHub was down too! Its uptime has been so bad recently.

righthand 14 hours ago||

It’s the new Npm

saghm 3 hours ago|||

This one also involved npm to be fair

palata 14 hours ago||||

Don't GitHub Actions actually use npm?

dnnddidiej 9 hours ago|||

The new Windows 98

More comments...