Why a recent supply-chain attack singled out security firms Checkmarx and Bitwarden
- Thread starter JournalBot
- Start date
Not a great look for Checkmarx or Trivy. You’re telling me they don’t have mitigations for watering-hole attacks? When
—exclude-newer is right there in modern package managers? How are we supposed to trust them to protect us from supply-chain attacks when they themselves are a weak link in our supply chain?
Upvote
48
(48
/
0)
The reality is there is no easy AM/AV for SMB customers. Costs escalate as you scale. Anything out of a repository should always be considered less robust protection.
Last edited:
Upvote
10
(10
/
0)
Zero clarity on the Bitwarden situation from this article. I wish there had been some kind of impact reporting there ? Why even mention them if you’re not going to talk about it
Upvote
156
(158
/
-2)
https://community.bitwarden.com/t/bitwarden-statement-on-checkmarx-supply-chain-incident/96127
"If you use the Bitwarden command line interface and deploy using NPM, and downloaded the CLI between 5:57p ET and 7:30p ET on April 22, 2026, you may be affected."
Pretty narrow window and limited audience.
Upvote
179
(179
/
0)
Upvote
78
(78
/
0)
Would be very happy to see the end of checkmarx use in our company. The implementation is a nightmare of pointless box-ticking and approvals to get any issue it raises closed. The vast majority are false positives.
What's worse, if you change a file such that the line of code it flagged changes (e.g adding something new before) - the same issue gets raised again.
What's worse, if you change a file such that the line of code it flagged changes (e.g adding something new before) - the same issue gets raised again.
Upvote
11
(11
/
0)
I think this is an important detail that the article missed. Regarding this attack, Bitwarden was engaging with Redditors and actively raising awareness.
Upvote
40
(41
/
-1)
The information definitely should have been included in the article instead of letting people think that all of Bitwarden was attacked or compromised.
Upvote
46
(46
/
0)
Yeah, it comes across as clickbait when no relevant details are included. Thanks to LlamaDragon for actually sharing helpful information.
Upvote
29
(29
/
0)
Your headline says BitWarden for attention and clicks but article lacks any substance on this? Editorial standards … where are they?
Upvote
14
(14
/
0)
There have been a series of breaches in the last few months that all stem from compromises through GitHub Actions. Is the service that leaky or do the users of it just not know how to configure GitHub Actions correctly?
Upvote
7
(7
/
0)
Hi can you elaborate on this? I think having a cool down period of new packages from supposedly trustworthy suppliers is the answer to protect against the eventual 4 or 8 hour compromise window.
Upvote
1
(2
/
-1)
The problem is that it’s not right there in a key system—GitHub Actions—common to many of these attacks, and it’s patchy in most languages. NPM only got a basic version yesterday (lagging way behind pnpm), Python’s pip only shipped it a few days ago (lagging uv but ahead of Poetry), and the Java world doesn’t even have lock files yet much less cooldowns.
I think Microsoft deserves a lot of the blame for these breaches because Actions is extremely hard to use safely by design (multiple versions, malicious Git commits reachable through the upstream namespace, it’s using YAML to assemble shell scripts so escaping is high-risk and hard to lint), but much of the rest comes down to companies not putting their money where their mouths collectively are. If everyone canceled one vanity security vendor purchase and spent time implementing locking files and cooldowns, contributing to upstream OSS as needed, the world would be much better off than the CISOs having a “we use AI!!!” dashboard nobody really benefits from.
Upvote
11
(11
/
0)
Mansplainer1001
Smack-Fu Master, in training
Folks of various technical capabilities land on articles like these and thus it would be enormously helpful if such articles elaborated at least a little bit on practical effects such developments as these mean for users of bitwarden or GitHub.
Upvote
5
(5
/
0)
Look, I don't know any other way to sanitize a numeric input than to pull in 387 dependencies.
Upvote
11
(11
/
0)
Upvote
5
(5
/
0)