this post was submitted on 23 Apr 2026
651 points (99.4% liked)

Selfhosted

59046 readers
1286 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

  7. No low-effort posts. This is subjective and will largely be determined by the community member reports.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
651
Bitwarden CLI distributed through NPM has been compromised. Bitwarden Statement on Checkmarx Supply Chain Incident. (community.bitwarden.com)
submitted 2 weeks ago by versionc@lemmy.world to c/selfhosted@lemmy.world
129 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] eager_eagle@lemmy.world 52 points 2 weeks ago (2 children)

reposting the tl;dr I wrote from another community...

Yesterday, for about 1h30min (starting at 5:57pm ET / 21:57 UTC) anyone installing the latest version of the command line interface of bitwarden was installing malware.

The malware steals GitHub/npm tokens, .ssh, .env, shell history, GitHub Actions and cloud secrets, then exfiltrates the data to private domains and as GitHub commits and doesn't seem to be targeting Bitwarden specifically, or user vaults.

There's no evidence that end user vault data was accessed or at risk, or that production data or production systems were compromised, according to their official statement.

It seems there were 334 bitwarden CLI downloads in this time period, some or many of which might have been from bots, so this is a higher bound to the number of affected users.

[–] Corngood@lemmy.ml 16 points 2 weeks ago (2 children)

I really need to figure out a better sandboxing method for shells. It's crazy to be things where my keys, browser data, shell history are all accessible.

I do try to use firejail where possible, but it's quite cumbersome. Every so often I look for tools to help with this, but everything is oriented around making a specific program (e.g. Firefox, steam) work.

[–] Anafabula@discuss.tchncs.de 8 points 2 weeks ago

For cli I just use podman(/docker) containers. Good enough and I don't have to learn a new tool

[–] eager_eagle@lemmy.world 1 points 2 weeks ago* (last edited 2 weeks ago)

yeah, about twice a year I use the CLI to backup my vault, and I've never felt comfortable installing an npm package to handle my vault. Now I'm definitely sandboxing it in a rootless container without internet next time. And installing a week old version, or older.

[–] Lojcs@piefed.social 3 points 2 weeks ago

Me when I break into a bank to steal the employee wallets