Time to rotate a thousand passwords againhttps://socket.dev/blog/bitwarden-cli-compromised
>tfw using a piece of paperUnbothered.
google password manager chads wins again
package managers were a mistake
>>108668653These supply chain attacks keep happening and make me wonder just how many random dependencies might be compromised. How are you supposed to realistically protect yourself?
details:https://research.jfrog.com/post/bitwarden-cli-hijack/confirmation:https://github.com/bitwarden/clients/issues/20353#issuecomment-4304662160
>>108668653Couldn't have happened to a better group of people.Anybody that uses bitwarden deserves to have all their passwords and identity stolen
>>108668653>be me>wanting to read more about this>let me google another tech news site that would have this>i have heard of hacker news before let's try there>AI>AI>AI>...Every post, never been there before, what is this shit
>>108668653I rather keep it simple with KeepassXC
imagine using this lol
>>108668674Kek. Exactly. I write down all my passwords and put in a secure location. I don't trust Password apps at all
>>108668653>CI/CD IS GOOD>YOU HAVE TO LET THIS AUTOMATED SYSTEM MANAGE YOUR BUILDS AND DEPLOYMENTS>*gets hacked*
>>108668728By using a language without a package manager.
>>108668801it has nothing to do with package managers. someone was able to abuse their CICD pipeline to upload mallicious software. You'd be just as hacked without a package manager if you downloaded a compromised source tarball.
Rust is such a gay language. So glad it got exposed that it was funded by the government along with tranny idealogy.
this stuff is going to get so bad over the next few months.
>>108668748Couldn't be simpler
>>108668653for me, it's keepass
My policy of waiting at least one week before updating anything that doesn't have a RCE zero day keeps paying off
>>108668728Stop using 1,000,000 random dependencies would be a good start.
>>108668740why are you so salty about me self-hosting my password manager?
>>108668861>for me, it's keepassTruly based
>>108668894because it's freemium SaaS garbage
https://community.bitwarden.com/t/bitwarden-statement-on-checkmarx-supply-chain-incident/96127>The investigation found no evidence that end user vault data was accessed or at risk, or that production data or production systems were compromised.
>>108668905it's AGPLv3 FOSS that you can host yourself
>>108668907>company gets hacked>claims nothing actually happened and data is safe *YOU ARE HERE*>evidence starts coming out that something might have happened>overwhelming evidence comes out that something happened>internal communication leaks that company knew from day 1 that something happened but lied anyway
>>108668728Package managers are for retards.
>>108668653FUCKINGYou just know all the fucking node devs will be like>Hmm. What should we do? Pray for a miracle that just makes these go away, or use not use 3000 dependencies per project?!>Well, you can't prove a miracle won't happen!
>>108668920>I can host a basic barebones version that serves as ad to their premium service on my own machine.Like I said SaaS garbage.
>>108668907LMAO Imagine trusting all your passwords with these absolute fucking clowns.
>>108668907The only companies that I actually trust with such statements is Valve and Digital Extremes.Meaning, something did in fact happen at Bitwarden and all your shit is compromised.
>>108668907Companies never lie about hacksAnd by never I mean always
little notebook hidden by the bible wins again
>>108668748>>108668850Can be simpler. Use hardware/platform passkeys.
>>108668653It’s only the cli, unfortunately. I wish it affected the gui client as well, maybe then these retards would learn
>>108668957ubikey tpm dies now what?
Keepass works fine on my machine.
>>108668969You believe that hackers had source code level access to the cli tool but absolutely nothing else? Give me a break.
>>108668975rape EVERYONE and leave
>>108668882>just reinvent the wheel bro
>>108668653I wonder how much AI had a hand in this.
>>108668941it doesn't shove any of it in my face so why should I care? The enterprise stuff is useless for a solo server
>>108668999Their gui applications are not currently on the latest cli package
>>108668957>Use hardware/platform passkeys.(((deprecated))) in favour of (((smartphone apps)))
>>108668728I have an easy solution: vet all dependencies before use, and re-verify them before each updoottoo bad (((rust))) doesn't allow you to do this and it'll automatically compile the newest mossad spyware into your app
>>108668953>Hacks always lie about their company
Tryhard cli users BTFO
>>108669199>>108668941Why do you "people" come on this site just to post lies
I'm low IQ and retarded, what is the CLI version? Via CMD? So if I used the regular Extension/Phone App nothing happens?
>>108669244yeah, probably fine
>>108668653>tfw i put all of my stuff in a spreadsheet document
>>108669244Nah you're still fucked. Change all passwords.
>>108669244You're really willing to take the risk? Just change your passwords you based retard.
post-it note bros... we just keep winning
>>108669313>just change 783 passwords bro
>>108669350Unironically, even in the event that someone robs your house, Jamal isn't going to know what to do with a password on a piece of paper, especially if you keep the user name separate.>b-but the fedsThey'll get your login info regardless. They probably already have it.
>>108668957>just use something you can't backupwhy?
>>108668947honestly, I was suspect of their software when I saw they use MSSQL.......for a fucking password manager app. why?oh right, because they're asp.net cucks. who uses this shit?
>>108669376HEARD YOU TALKING SHITLIKE I WOULDN'T FIND OU
>using a password managerCan anyone explain to me why anyone uses a password manager other than they are lazy fucks?
>>108669393because a shared secret is the only way to auth with multiple services because public-private key cryptography is baked in a normie repellent way and every time they try improving on it, they still fuck it up, see the latest attempts: passkeys.
>>108669363>just let your 783 passwords be compromisedgenius anon
>>108668728By using a language such as picrel which ships a solid standard library that provides basically 99% of your needs out of the box. You can say whatever you want about Go, but unlike Rust (which requires you to download a dependency even for generating a random number or parsing a CLI argument), Go has everything you need available in the standard library.
I MUST UPDOOOOOT niggas rolling in their graves rnBut ye anyways kys if you use apps for passwords managers
>>108669403vve mvst integrQted EVERYTHINQ TQGQTHQR
>>108668728Stay like about half a year behind latest and hope for the best. Most of these surface within a days or weeks. Not sure how to easily track this though, especially since you do not want to sit on known vulnerabilities either that might get published for older deps.
>>108669428> if you use appsI don't have these problems with a Keepass encrypted vault stored on my personal cloud. Even in the remote possibility that someone manage to gets into my cloud, all the get is an encrypted kdbx file.
>>108669411>requires you to download a dependency even for generating a random numberstd::hash::RandomState::new().hash_one(())>parsing a CLI argumentwhat? the go one is shit anyway so you shouldn't use it, unless you like ambiguous shit like single dash args.
>>108669469>std::hash::RandomState::new().hash_one(())Last time I've used Rust ~2019 I had to import the rand crate. >what? the go one is shit anyway so you shouldn't use it, unless you like ambiguous shit like single dash argsFor simple stuff it works fine, unlike Rust where you're forced to use the over engineered clap library.
>>108668728>execute arbitrary code>sometimes bad things happenyou fix the problem by making society less shit. any other answer is delusional and cope. maybe if software was build on a strong capabilities security model, we'd have a different story, but we can't even get retards to understand monads (insert le funny buritto meme here).
>>108668674Am I still safe if I use a digital piece of paper (ie a local encrypted .txt file)? I don't want to type out my 128 character long passwords each time...
>>108669532I've never used go's arg parser. it's really bad. most of the go stdlib is bad.they're still trying to figure out how to fix basic shit like encoding/json because the type system used by real world systems is incompatible with encoding/json.
>>108669549picrel cute
>>108669559Go's standard library is so bad that lets you build a backend without pulling a single dependency. Yeah, definitely bad, Rust's is definitely better.
>>108669630just because you can, doesn't mean you should.
>>108669559>I've never used go's arg parser. it's really badwhat are you talking about its baby easy>most of the go stdlib is badlol baittbf i wont even use an argparse library stdlib or not for my small stuff ill just manually stringparse it
>>108669411The Go standard library is dogshit unless you're a gay web "developer" that only cares about having an HTTP server and JSON parsing. The lack of decent data structures is a joke.
>>108670020Go's json parsing library is terrible.
>>108668728The C graybeards already warned people about these things, follow their advice. Stop pulling random packages, you don't need is_even, and start auditing your dependencies. Unsupervised updates is how you get these things. If you can't do that then spread your ass and get fucked by the digital equivalent of jamal.
>>108670020>The lack of decent data structures is a joke.You literally don't need anything more than arrays and hashmaps for 99% of software and you're coping if you say anything otherwise.
>>108670032>The C graybeards already warned people about these--ACKxz dipshit. C cuckoldry would not protect you from maliciously hijacked distribution.
>>108669411https://kerkour.com/rust-supply-chain-nightmareTrue, rust needs a good standard library or an extension of it. Decentralized libraries are kind of aids though I wouldn't want that
Apple Password Manager Chads win again
>>108668728Switch to clay tablets and carrier pigeons as nature intended.
>>108670620idk why people think proprietary companies and services aren't vulnerable to the same supplychain attacks as foss. it's even worse in some cases since you only have more insular teams who could or could not be malicious or have their machines botnetted.
>>108670620Apple literally had to patch an exploit that allowed police to recover deleted imessages yesterday.
KeepAssXC ftw
>>108668653What about vaultwarden
>>108669393because securitycucks won't let me just use whatever password I actually want
>>108670567>give the keys to some chink>chink does chink things That doesn't negate anything I've said. Some retards didn't audit what they pulled.
>>108669614>sees random anime jpg>immediately shift to thinking about CSAM>urr a pedo!!Anon, ...
>>108669261when you csv yourself
>>108668728>How are you supposed to realistically protect yourself?
>>108669549No, you're actually even less safe, because when your device dies unrecoverably, or when you forget it on the train, or someone steals it from you, you lose access to everything.>>108669614No, and even I'm not.
> dozens comments about package managers bad> it's actually not a compromised dependency, it's a compromised CI/CD
>>108668801Drew Devault is a strange type. If you just described the projects he works on you'd think he's a chud.
>>108671430do not slander microsoft product bloody benchod
>github actions againwhy do people still rely on microslop software in any capacity?
>>108669614It's funny how people will argue constantly that "actually it's heckin problematic if you like your bug eyed cartoon girls to look small and young" and then people post adult anime girls and still get called pedophiles.Take your meds
>>108668674>passwords are saved in a little notebook i keep in my desk>room is a fucking mess>sometimes i misplace the notebook for a few hours at a time>hundreds of unique passwords i CBA to remember>have panic attacks every time>>>>still 100x better than trusting some software that can be compromised
>>108668653lmao, KeePassXC shills getting uppity latelyyour scamware is nothing compared to bitwarden. be better
>>108671755people most developers are mindless golems who think git=github
>>108668653>only affected if you downloaded the cli in this 5 hour windowanyway, all of this shit ends up being github actions in the end. what is github doing about this?
>>108668728/g/ will hate thisbut the correct answer is to stop this arms race between hackers and security researchers. it's leading nowhere.instead they should focus the digital world a deanonymized high trust society. where doing anything online requires identity verification and checks. with harsh punishments for breaking the law.everyone can break you door and break into your house. the door isn't a security measure. it's mostly a convention to tell people "hey, i don't want visitors right now". people rarely break into your house because either there are consequences to that or they are just less inclined to do that because they are decent human beings.you shouldn't be allowed to make an HTTP request without your digital ID. there should also be regulations for who can use the internet from outside the borders. like digital border checks. to insure the people allowed in aren't spies or foreign state actors.
>>108668728First, don't auto update things. Make sure each update has had some time for things like this to shake out before you download it.
>>108671829Not sure your point in posting that.His passwords are so secure there's no way to break into it. That's what you want.
>>108671892>what is github doing about this?They shouldn't do anything, should they? In the end it's responsibility of the repo maintainers.
>>108672005they should make it harder to fuck up your actions. actions are definitely a target now.
passwords.txt chads stay winning
>>108668674He looks concerned, actually. With you it's hard to tell through those layers of fat.
>>108671755Isn't this a problem from people having random dependencies in the CI pipeline? Not really Github's fault that some retard is running insecure code during CI runs.
>>108668728Write your own shit in vanilla and stop producing libraryslop?
>>108668653I think my passwords might still be in my old account from before I switched to keepassxc.however, the only thing compromised was the NPM package so this is literally nothing.https://community.bitwarden.com/t/bitwarden-statement-on-checkmarx-supply-chain-incident/96127
>>108669244Yeah, I'm sure the CLI, phone, browser, and desktop apps have no logic in common.
>>108671829>losing a piece of paper locks you out of your password manager
>>108668653>Russian locale kill switch: >Exits silently if system locale begins with "ru", checking Intl.DateTimeFormat().resolvedOptions().locale and environment variables LC_ALL, LC_MESSAGES, LANGUAGE, and LANGyou really can't make this shit up
>>108668975Use the backup and buy a new one to clone it
>>108672553It probably was. Not even Russians give a fuck about Russians.
>>108668748This. You can go full autism and airgap it by having a computer that has no online ability at all.
>>108672421but this only affected the cli.
>>108668925>>108668947>>108668950>>108668953>so schizophrenic and childish that you're incapable of reading this and not going IT'S FAKE THEY GOT HACKED BITWARDENFAGS BTFO LALALAyou can literally confirm everything he said is true btw, you won't, but you can
If you are using anything other than pen/paper in a safe you are retarded, simple as
>>108669244unless you downloaded the CLI straight from npm in a specific 1:30 hour window you're fine, /g/ is terminally retarded and posts saying otherwise can be safely ignoredI'll be called a glowie or some shit for this though, don't worry
>>108668653KeePassXC chads wins again
>>108668674Used to be like you, nowadays I don't even write it down, if I don't remember, fuck me, I'll remember it another day.
KIKE, imagine having to worry about this shit because your pass is not saved locally, one day you wouldn't even know you've been compromised. Another big W for Keepass.
>>108668653>tfw selfhosted VaultwardenWho gives a shit?
>>108668728i was to compile one browser (well known) few days ago.it wanted to pull python packages.it can't compile without python packages.browser needs python packages to compile, browser need python packages to carry out compilation and tests.year 2026.
>>108668728>How are you supposed to realistically protect yourself?Write your congress critter unironically.The problem is NPM and webshitters declaring "Why write any utility function yourself, ever?" and then taking a reasonable idea (we can write some scaffolding code to make this easier and reuse it) and bastardizing that into frameworkslop and is_evenslop where the goal is to write as little as possible and spam library calls. Boost and openssl and ffmpeg are libraries of reasonable size and scope and upgrade infrequently. Most language packages these days are just shit thrown into github with no consistency or release management around them.We C-chads lost the war on technical merits because webshit was more marketable so this will only be fixed if the SBOM compliance drones declare some stupid rule like "No more than 5 dependencies per deliverable." The same shit will still be written but the framework shitters will stop having 20 different imports with different release numbers so your frameworkslop can just be>your shit code>your companies shit code>framework 1>framework 2>test dependency shitand then you only have to audit a couple of libraries when you update.
>>108668748>b-but muh phone syncKeePassXC and Syncthing. If you really want to you can use Reichl's KeePass 2 instead of KeePassXC. KDBX is just a file to be opened with programs, you can copy it to a 3.5" floppy if you so desire.
>Tl;dr: This has only impacted those who have downloaded the phony Bitwarden CLI npm package during the short window that it was available. No vault data has been affected.https://www.reddit.com/r/Bitwarden/comments/1stkc46/bitwarden_cli_has_been_compromised_check_your/ohu0ixw/
>>108668728use a language that has a solid standard library and doesn't require you to import a million micro-packages.Front-End: ClojureScript, DartBack-End: Clojure, GoScripting: Python, Ruby, Babashka
>>108675971 see >>108671430Also,> doesn't require you to import a million micro-packages.> Clojure, Go, Python, RubyEven though they might not require it, it is absolutely the mainstream culture to import a million packages to do anything in those languages.
>>108675983This. It's funny to see these dogshit languages always suggested. Real Go projects always have a million dependencies and they're objectively worse off in terms of security because 90% of the time they pull directly from random Github repos and never update because nobody bothers with proper versioning.
>>108668653am i safe if i only use the web version of bitwarden?
>>108668782There is literally nothing wrong with CI/CD and literally every single best practices list out there says to pin your pipeline actions and dependencies to specific versions to prevent what happened here.
>>108676103Web versions & Android/iOS versions are unaffected.CLI is a command line version that has to be downloaded specifically, and on top of it you had to download it during a specific time to be affected. (only ~300 people downloaded the affected version)
>>108668653max IQ to trust all of your passwords to a password manager?
>>108668674Digicucks btfo
>>108668653I have never understood the use case of password managers, just seems like adding another attack surface and maintenance burden. The absolute best way for security is to move to a nice neighborhood and simply have a notepad in your room where you write down unique passwords for each website/app you sign up for and use passwords like Horse*Cartridge#492306, very easy to look up your password if needed, and practically unbreakable unless in person, and in that case you'd have bigger issues than passwords. And you could remember the main passwords you use for your gmail or whatever email service and your desktop computer or mobile phone so you can always just recover the other accounts if you lose the paper.Or you can just be a normalfag and use built in chrome password manager and realistically never be hacked because hackers targeting home users don't exist anymore, only scammers do who attack through exploiting stupidity and you sending them stuff rather than taking over your passwords.
>>108668653Thank God I used keepassxc
>>108671829I used 123 as my keepassxc password. Feels good.
>>108668747Wikipedia relies on articles and 90% of modern articles are generated. It's all slop now I fear
>>108669382>Keepass db>can't backupAre you retarded?
Why would a command line password manager ever be used?
https://community.bitwarden.com/t/bitwarden-statement-on-checkmarx-supply-chain-incident/96127
>>108676565Because Reddit, literally, it exists because people on Reddit wanted it.
>>108668728The only way you can defend yourself is with a HIPS firewall like COMODO firewall which will detect keyboard/house hooks, process injection, apps trying to create powershell/vb/scripts and trying to execute other scripts, or stuff trying to edit your registry, but sadly, Linux doesn't have any apps with this capability. On Windows, you can stop malware before it even gets a chance to do damage on an alert by alert basis.
>>108676551Keepass isnt a hardware key, dipshit.
>>108669393you need to go back
>check installed client version>2026.3.1not my problem I guess
>>108668653I'm severely struggling to understand why developers would use this over keepassxc. From my understanding, keepassxc has been the de-facto for reliability, and then bitwarden came out of nowehere with questionable funding.
>>108669393Some sites require 12 keys and I can't be assed.hunter2!@#$
>>108668653I just don't update my password manager.
>>108671389>No, you're actually even less safe, because when your device dies unrecoverably, or when you forget it on the train, or someone steals it from you, you lose access to everything.Just take backups.
>>108669393haveibeenpwned had like 32 breaches for my email. I used the same password for everything. I lost a few dozen accounts once somebody bothered to test them.
>>108668653Here is your ultra secure password manager bro
>>108677344thats why real man use the bitwarden gui ;)
>>108677607https://github.com/bitwarden/clients/blob/main/apps/desktop/package.jsonI wonder how did it happen that cli has dozens random dependencies while desktop is actually carefully avoiding having any dependencies at all. Did they allocate a separate team of retards to do the cli?
I JUST SWITCHED TO THIS.
>>108668907why would a console tool need npm packages?
>>108678286their client seems unaffected it's really only their CLI
>>108678073Most of the desktop app seems to be written in Rust and it has quite a few dependencies. The dependencies seem to be limited to large popular projects that seem more reasonable than the shit JS developers import.
we should start downdooting since its always updoooting which gets you fucked
>>108671945>First, don't auto update things.Uh but all the devs and security experts™ always told me to update to the newest version as soon as possible? Was it a lie?!?!?!?!?!?!?
>>108679401That's been the funniest bullshit people has recommended. I get that they did it because people had stuff with the latest security update being performed 4 years ago, but still.
>>108679401>>108679458Lets settle on auto-update things but with two weeks lag.
>>108668674Carve your important passwords into a stainless steel plate using a tungsten scryer. That's what I've done. Stainless steel is just about sufficient to survive house fire temperatures.
>>108677344>color-helper>css-color-helperWhy does a "CLI" need terminal color support and why does Node have three different packages for fucking termcap? For that matter, if it's a CLI anyway why not just assume the terminal is an xterm and spew garbage if they some weird green glass from 1985 hooked up.
