Bitwarden CLI Compromised in Ongoing Checkmarx Supply Chain Campaign
by tosh on 4/23/2026, 2:17:08 PM
https://socket.dev/blog/bitwarden-cli-compromised
Comments
by: ruuda
<a href="https://github.com/doy/rbw" rel="nofollow">https://github.com/doy/rbw</a> is a Rust alternative to the Bitwarden CLI. Although the Rust ecosystem is moving in NPM's direction (very large and very deep dependency trees), you still need to trust far fewer authors in your dependency tree than what is common for Javascript.
4/23/2026, 3:44:22 PM
by: 1024kb
I had a really bad experience with the bitwarden cli. I believe it was `bw list` that I ran, assuming it would list the names of all my passwords, but too my surprise, it listed everything, including passwords and current totp codes. That's not the worst of it though. For some reason, when I ssh'ed into one of my servers and opened tmux, where I keep a weechat irc client running, I noticed that the entire content of the bw command was accessible from within the weechat text input field history. I have no idea how this happened, but it was quite terrifying. The issue persisted across tmux and weechat sessions, and only a reboot of the server would solve the problem.<p>I promptly removed the bw cli programme after that, and I definitely won't be installing it again.<p>I use ghostty if it matters.
4/23/2026, 3:22:46 PM
by: ripped_britches
I have been meaning to move off of Bitwarden. In the past, open source meant more secure. Still could be the case for super important projects, but that is just no longer reality. I’m considering just vibe coding my own, vibe pentesting it, and keeping it private.
4/23/2026, 4:28:20 PM
by: flossly
Never used the CLI, but I do use their browser plugin. Would be quite a mess if that got compromised. What can I do to prevent it? Run old --tried and tested-- versions?<p>Quite bizarre to think much much of my well-being depends on those secrets staying secret.
4/23/2026, 3:27:44 PM
by: darkwater
> Russian locale kill switch: Exits silently if system locale begins with "ru", checking Intl.DateTimeFormat().resolvedOptions().locale and environment variables LC_ALL, LC_MESSAGES, LANGUAGE, and LANG<p>So bold and so cowards at the same time...
4/23/2026, 3:34:59 PM
by: mobeigi
KeePass users continue to live the stress free live.<p>I've managed to avoid several security breaches in last 5 years alone by using KeePass locally on my own infra.
4/23/2026, 3:31:55 PM
by: wooptoo
This is precisely why I don't use BW CLI. Use pass or gopass for all your CLI tokens and sync them via a private git repo.<p>Keep the password manager as a separate desktop app and turn off auto update.
4/23/2026, 3:45:23 PM
by: post-it
I've dramatically decreased my reliance on third-party packages and tools in my workflow. I switched from Bitwarden to Apple Passwords a few months ago, despite its worse feature set (though the impetus was Bitwarden crashing on login on my new iPad).<p>I've also been preferring to roll things on my own in my side projects rather than pulling a package. I'll still use big, standalone libraries, but no more third-party shims over an API, I'll just vibe code the shim myself. If I'm going to be using vibe code either way, better it be mine than someone else's.
4/23/2026, 3:59:21 PM
by: isatty
Writing a cli with JavaScript? No thank you.
4/23/2026, 3:32:41 PM
by: hgoel
Does the CLI auto-update?<p>Edit: The CLI itself apparently does not, which will have limited the damage a bit, but if it's installed as a snap, it might. Incidents like this should hopefully cause a rollback of this dumb system of forcefully and frequently updating people's software without explicit consent.<p>Also the time range provided in <a href="https://community.bitwarden.com/t/bitwarden-statement-on-checkmarx-supply-chain-incident/96127" rel="nofollow">https://community.bitwarden.com/t/bitwarden-statement-on-che...</a> can help with knowing if you were at risk. I only used the CLI once in the morning yesterday (ET), so I might not have been affected?
4/23/2026, 3:26:13 PM
by: ozgrakkurt
Their website is also incredibly bad. I am not paying for it so it might be better for paying users.<p>It is mind boggling how an app that just lists a bunch of items can be so bloated.
4/23/2026, 4:01:58 PM
by: Scene_Cast2
I recently had to disable their Chrome extension because it made the browser grind to a halt (spammed mojo IPC messages to the main thread according to a profiler). I wasn't the only one affected, going by the recent extension reviews. I wonder if it's related.
4/23/2026, 3:43:43 PM
by: hrimfaxi
> The affected package version appears to be @bitwarden/cli2026.4.0, and the malicious code was published in bw1.js, a file included in the package contents. The attack appears to have leveraged a compromised GitHub Action in Bitwarden’s CI/CD pipeline, consistent with the pattern seen across other affected repositories in this campaign.
4/23/2026, 3:30:46 PM
by: DiffTheEnder
I wonder if 1Password CLI is a top priority for hackers similarly.
4/23/2026, 4:09:42 PM
by: sega_sai
So how likely is that these compromises will start affecting the non-cli and non-open-source tools ? For example other password managers (in the form of GUI's or browser extensions).
4/23/2026, 3:33:46 PM
by: tracker1
I was literally thinking about installing the cli a few days ago to ease the use in a few places. Now I'm glad I didn't.
4/23/2026, 3:44:17 PM
by: hurricanepootis
This doesn't affect the web extension, no?
4/23/2026, 3:21:48 PM
by: nothinkjustai
Remember how the White House published that document on memory safe languages? I think it’s time they go one step further and ban new development in JavaScript. Horrible language horrible ecosystem and horrible vulns.
4/23/2026, 3:44:10 PM
by: fnoef
I mean, what's the future now? Everyone just vibecoding their own private tools that no "foreign government" has access to? It honestly feels like everything is slowly starting to collapse.<p>Also didn't Microsoft (the owner of GitHub) got access to Claude Mythos in order to "seCuRe cRitiCal SoftWaRe InfRasTructUre FoR teh AI eRa"? Hows securing GitHub Action going for them?
4/23/2026, 3:45:22 PM
by: citizen4902
Bitwarden statement - <a href="https://community.bitwarden.com/t/bitwarden-statement-on-checkmarx-supply-chain-incident/96127" rel="nofollow">https://community.bitwarden.com/t/bitwarden-statement-on-che...</a>
4/23/2026, 3:30:31 PM
by: masfuerte
> Checkmarx is an information security company specializing in software application security testing and risk management for software supply chains.<p>The irony! The security "solution" is so often the weak link.
4/23/2026, 3:35:51 PM
by: sigmonsays
If I run the compromised CLI, do they get all my passwords?
4/23/2026, 3:12:41 PM
by: fraywing
Can we please get a break?<p>Praying to the security gods.<p>It seems like we've have non-stop supply chain attacks for months now?
4/23/2026, 3:45:17 PM
by: nozzlegear
Another day, another supply chain attack involving GitHub Actions.
4/23/2026, 3:11:56 PM
by: asxndu
[dead]
4/23/2026, 3:46:14 PM
by:
4/23/2026, 3:20:23 PM
by: rvz
Once again, it is in the NPM ecosystem. OneCLI [0] does not save you either. Happens less with languages that have better standard libraries such as Go.<p>If you see any package that has <i>hundreds of libraries</i>, that increases the risk of a supply chain attack.<p>A password manager does not need a CLI tool.<p>[0] <a href="https://news.ycombinator.com/item?id=47585838">https://news.ycombinator.com/item?id=47585838</a>
4/23/2026, 3:28:04 PM