The Bitwarden security team identified and contained a malicious package that was briefly distributed through the npm delivery path for @bitwarden/
[email protected] between 5:57 PM and 7:30 PM (ET) on April 22, 2026, in connection with a broader Checkmarx supply chain incident. The investigation found no evidence that end user vault data was accessed or at risk, or that production data or production systems were compromised. Once the issue was detected, compromised access was revoked, the malicious ...
As much as some people deride it Javascript is one of the most used languages on the planet.
This is basically the same as people thinking windows is less secure because it’s more often targeted.
JavaScript does have a bit of a problem with dependencies but it isn’t much different than other languages with built in package managers like rust. It’s just a bigger juicer target.
But Windows is less secure. Two things can be true at once. They are in the original topic too.
The Java ecosystem is massive and decades old and I don’t hear one iota of the shit about maven central that I hear about npm.
I guarantee that npm is full up with vibe coded bullshit at this point as well.
I’m not sure what it even takes to upload a package to npm. Not even a pulse. I honestly never looked into it because the whole ecosystem is so rancid.