The Bitwarden security team identified and contained a malicious package that was briefly distributed through the npm delivery path for @bitwarden/cli@2026.4.0 between 5:57 PM and 7:30 PM (ET) on April 22, 2026, in connection with a broader Checkmarx supply chain incident. The investigation found no evidence that end user vault data was accessed or at risk, or that production data or production systems were compromised. Once the issue was detected, compromised access was revoked, the malicious ...
That sounds more like bad practices from the community. It definitely has ways to use exact versions. Not the least of which the lock file. Or the shrinkwrap file which public packages should be using.
Any security system based on expecting good behavior from people is sure to fail. If NPM has no estructural features to enforce safe behaviors, it is vulnerable by default. As no person using it will apply safe practices unless forced to. Specially if the default, easiest, less friction behavior, is inherently unsafe.
That sounds more like bad practices from the community. It definitely has ways to use exact versions. Not the least of which the lock file. Or the shrinkwrap file which public packages should be using.
Any security system based on expecting good behavior from people is sure to fail. If NPM has no estructural features to enforce safe behaviors, it is vulnerable by default. As no person using it will apply safe practices unless forced to. Specially if the default, easiest, less friction behavior, is inherently unsafe.
I wouldn’t say pulling in higher versions is unsafe unless an attack like this succeeds. Otherwise it’s only an annoyance.
Then you’re waiting forever on vulnerability patches. Especially if there are layers, and each layer waits to update.