Can we stop using npm now?
I swear to god the number of attacks like this or spawned from other attacks like this is fucking stupid. I’ve gender seen anything like it.
This problem has nothing to do with NPM. Checkmarx was compromised last month, and during that compromise there were malicious VS Code extensions published to Visual Studio Code Marketplace. A Bitwarden developer says that somebody ran one of those malicious extensions, and GitHub API keys were stolen which were used in publishing the malicious CLI package.
It’s probably better that it happened on NPM. If the CLI were only downloadable from the Bitwarden website, it would have likely taken longer for somebody to notice something was wrong.
Yes, but NPM has been had countless security problems, this isn’t a new problem. Even tho this instance is not a problem of NPM itself, it still has been proven as one of the most unreliable and insecure package managers out there.
If I use the CLI through the bitwarden flatpak am I OK?
It has only been available for 2h30 on NPM, so unless you had the misfortune of installing the latest version in this short window, you should be fine. Thankfully people have been able to quickly catch this.
This is one of the reasons why I update a version or two behind. The other reason is because I’m lazy.
I update after I feel all the early adopters have worked out all the bugs for me.
One lie and one truth in this sentence.
Laziness has some obscure advantages
reposting the tl;dr I wrote from another community…
Yesterday, for about 1h30min (starting at 5:57pm ET / 21:57 UTC) anyone installing the latest version of the command line interface of bitwarden was installing malware.
The malware steals GitHub/npm tokens, .ssh, .env, shell history, GitHub Actions and cloud secrets, then exfiltrates the data to private domains and as GitHub commits and doesn’t seem to be targeting Bitwarden specifically, or user vaults.
There’s no evidence that end user vault data was accessed or at risk, or that production data or production systems were compromised, according to their official statement.
It seems there were 334 bitwarden CLI downloads in this time period, some or many of which might have been from bots, so this is a higher bound to the number of affected users.
I really need to figure out a better sandboxing method for shells. It’s crazy to be things where my keys, browser data, shell history are all accessible.
I do try to use firejail where possible, but it’s quite cumbersome. Every so often I look for tools to help with this, but everything is oriented around making a specific program (e.g. Firefox, steam) work.
yeah, about twice a year I use the CLI to backup my vault, and I’ve never felt comfortable installing an npm package to handle my vault. Now I’m definitely sandboxing it in a rootless container without internet next time
For cli I just use podman(/docker) containers. Good enough and I don’t have to learn a new tool
Me when I break into a bank to steal the employee wallets
Npm is a fucking mess…
