The Bitwarden security team identified and contained a malicious package that was briefly distributed through the npm delivery path for @bitwarden/cli@2026.4.0 between 5:57 PM and 7:30 PM (ET) on April 22, 2026, in connection with a broader Checkmarx supply chain incident. The investigation found no evidence that end user vault data was accessed or at risk, or that production data or production systems were compromised. Once the issue was detected, compromised access was revoked, the malicious ...
To be fair you didn’t say package managers were perfect but you also failed to provide any evidence for your claims that a package manager was more trustworthy than a known software publishers website as a distribution method.
You were given plenty of opportunities to explain yourself and you doubled down with insults and shifting goalposts.
Going by your logic this breach is evidence that package managers should all be avoided.
Huh? I have never claimed they are?
In cybersecurity, perfect is not a thing. You can only mitigate risks within a threat model.
To be fair you didn’t say package managers were perfect but you also failed to provide any evidence for your claims that a package manager was more trustworthy than a known software publishers website as a distribution method.
You were given plenty of opportunities to explain yourself and you doubled down with insults and shifting goalposts.
Going by your logic this breach is evidence that package managers should all be avoided.