The password manager you trust with your secrets almost became the delivery vector for stealing them. Earlier this week, security researchers at Checkmarx disclosed an active supply chain attack targeting the Bitwarden CLI via a malicious npm package. It hit close to home for a lot of developers β not just because Bitwarden is widely used, but because it exposes exactly how fragile our toolchain trust really is. This isn't a theoretical attack. It's real, it's ongoing, and if you haven't audited your dependencies yet, stop reading, open a terminal, and do it first. Done? Good. Now let's talk about what actually happened, why it worked, and what you need to do to not be the next victim. What Happened The attack combined two classic supply chain techniques: typosquatting and dependency confusion . Typosquatting Attackers published a package called @bitwarden/cli β notice the scoped package under the Bitwarden namespace.β¦
