TechPulseTechPulse
Back to News
Advertisement
Advertisement

⚡ Community Insights

Discussion Sentiment

54% Positive

Analyzed from 3577 words in the discussion.

Trending Topics

#cli#bitwarden#password#https#keepass#com#github#manager#don#npm

Discussion (159 Comments)Read Original on HackerNews

8cvor6j844qw_d617 minutes ago
Narrower blast radius than the 2022 LastPass breach, at least the vaults weren't touched.
eranationabout 1 hour ago
Anyone know of a better way to protect yourself than setting a min release age on npm/pnpm/yarn/bun/uv (and anything else that supports it)?

Setting min-release-age=7 in .npmrc (needs npm 11.10+) would have protected the 334 unlucky people who downloaded the malicious @bitwarden/cli 2026.4.0, published ~19+ hours ago (see https://www.npmjs.com/package/@bitwarden/cli?activeTab=versi... and select "show deprecated versions").

Same story for the malicious axios (@1.14.1 and @0.30.4, removed within ~3h), ua-parser-js (hours), and node-ipc (days). Wouldn't have helped with event-stream (sat for 2+ months), but you can't win them all.

Some examples (hat tip to https://news.ycombinator.com/item?id=47513932):

  ~/.npmrc
  min-release-age=7 # days

  ~/Library/Preferences/pnpm/rc
  minimum-release-age=10080 # minutes

  ~/.bunfig.toml
  [install]
  minimumReleaseAge = 604800 # seconds

  # not related to npm, but while at it...
  ~/.config/uv/uv.toml
  exclude-newer = "7 days"
p.s. shameless plug: I was looking for a simple tool that will check your settings / apply a fix, and was surprised I couldn't find one, I released something (open source, free, MIT yada yada) since sometimes one click fix convenience increases the chances people will actually use it. Link in bio if anyone is interested.

EDIT: looks like someone else had a similar drive to make cooldowns cool again, worth bookmarking as well: https://news.ycombinator.com/item?id=47878147

ruudaabout 2 hours ago
https://github.com/doy/rbw is a Rust alternative to the Bitwarden CLI. Although the Rust ecosystem is moving in NPM's direction (very large and very deep dependency trees), you still need to trust far fewer authors in your dependency tree than what is common for Javascript.
pregnenoloneabout 2 hours ago
Well.. https://github.com/doy/rbw/blob/main/Cargo.toml#L16

You're still pulling a lot of dependencies. At least they're pinned though.

mayamaabout 2 hours ago
That's just direct dependencies. Including all the dependency tree is 785k LOC according to lib.rs. Most rust libraries include tons of others.

https://lib.rs/crates/rbw

embedding-shapeabout 1 hour ago
326 packages right now when doing a build. Seems large in general, but for a Rust project, not abnormal.

Takes what, maybe 15 seconds to compile on a high-core machine from scratch? Isn't the end of the world.

Worse is the scope to have to review all those things, if you'd like to use it for your main passwords, that'd be my biggest worry. Luckily most are well established already as far as I can tell.

xvedejasabout 1 hour ago
Does this take into account feature flags when summing LOC? It's common practice in Rust to really only use a subset of a dependency, controlled by compile-time flags.
ramon156about 2 hours ago
This + vaultwarden is an awesome self-hostable rust version of bitwarden. We might as well close the loop!
1024kbabout 2 hours ago
I had a really bad experience with the bitwarden cli. I believe it was `bw list` that I ran, assuming it would list the names of all my passwords, but too my surprise, it listed everything, including passwords and current totp codes. That's not the worst of it though. For some reason, when I ssh'ed into one of my servers and opened tmux, where I keep a weechat irc client running, I noticed that the entire content of the bw command was accessible from within the weechat text input field history. I have no idea how this happened, but it was quite terrifying. The issue persisted across tmux and weechat sessions, and only a reboot of the server would solve the problem.

I promptly removed the bw cli programme after that, and I definitely won't be installing it again.

I use ghostty if it matters.

stvnbnabout 2 hours ago
I love how the first comment is a complain having nothing to do with the actual subjec
epistasisabout 2 hours ago
Password managers are all about trust, the main link is about a compromise, so it's not surprising that the first comment is also about trust too, even if it's not directly about this particular compromise.

I found the default bwcli clunky and unacceptable, and it's why I don't use it, even though I still have a BitWarden subscription.

cobolcomesbackabout 2 hours ago
Not to mention utter nonsense. There’s no possible way that BW CLI somehow injected command history into a remote server. That was 100% something the GP did, a bug in their terminal, or a config they have with ssh/tmux, not Bitwarden.
reactordevabout 2 hours ago
that's our future... with AI. Engineers that don't know the difference between client-side convenience and server-side injection, how to configure `php.ini`, or that no synchronized password manager is safe. While the OAuth scope is `*`, and CORS is what you drink on the weekend.
trinsic2about 2 hours ago
Wow. Thats crazy. Is there an extension for bwcli in weechat? BTW I didnt even know BW had a cli until now. I use keepass locally.
harshrealityabout 1 hour ago
It's crazy because it's not default bw behavior, or even any bw behavior... I don't use the cli, but I don't see any built-in capacity to copy bw output to the clipboard. (In the UNIX way, you'd normally pipe it to a clipboard utility if you wanted it copied, and then the security consequences are on you.)

They probably caused it themselves, somehow, and then blamed bitwarden. Note in the original comment they aren't even entirely sure what the command was, and they weren't familiar with it or they wouldn't have been surprised by its output... so how can they be sure what else they did between that command and the weechat thing?

If the terminal or tmux fed terminal history into weechat, that's also not bw's problem.

1024kbabout 2 hours ago
I don't know, I use a vanilla weechat setup
nicceabout 2 hours ago
I thought that CLI would be efficent when I looked for using it and then I figured it is JavaScript
rvzabout 2 hours ago
Exactly. That is the problem.

There is a time and place for where it makes sense and a password manager CLI written in TypeScript importing hundreds of third-party packages is a direct red flag. It is a frequent occurrence.

We have seen it happen with Axios which is one of the biggest supply chain attacks on the Javascript / Typescript ecosystem and it makes no sense to build sensitive tools with that.

flosslyabout 2 hours ago
Never used the CLI, but I do use their browser plugin. Would be quite a mess if that got compromised. What can I do to prevent it? Run old --tried and tested-- versions?

Quite bizarre to think much much of my well-being depends on those secrets staying secret.

zerktenabout 2 hours ago
Integration points increase the risk of compromise. For that reason, I never use the desktop browser extensions for my password manager. When password managers were starting to become popular there was one that had security issues with the browser integration so I decided to just avoid those entirely. On iOS, I'm more comfortable with the integration so I use it, but I'm wary of it.
brightballabout 2 hours ago
The problem is that the UX with a browser extension is so much better.
tracker1about 2 hours ago
I also find it far easier to resist accidentally entering credentials in a phishing site... I'm pretty good about checking, but it's something I tend to point out to family and friends to triple check if it doesn't auto suggest the right site.
ufmaceabout 2 hours ago
Importantly IMO is the extra phishing protection that the UX is really nice if and only if the url matches what's expected. If you end up on a fake url somehow, it's a nice speed bump that it doesn't let you auto-fill to make you think, hold on, something is wrong here.

If you're used to the clunkier workflow of copy-pasting from a separate app, then it's much easier to absent-mindedly repeat it for a not-quite-right url.

QuantumNomad_about 2 hours ago
The 1Password mobile and desktop apps have such a nice UX that I’m happy copy pasting from and into it instead of having any of the browser extensions enabled.

I have 1Password configured to require password to unlock once per 24 hours. Rest of the time I have it running in the background or unlock it with TouchID (on the MacBook Pro) or FaceID (on the iPhone).

It also helps that I don’t really sign into a ton of services all the time. Mostly I log into HN, and GitHub, and a couple of others. A lot of my usage of 1Password is also centered around other kinds of passwords, like passwords that I use to protect some SSH keys, and passwords for the disk encryption of external hard drives, etc.

lern_too_spelabout 1 hour ago
Also, you want to avoid exposing your passwords through the clipboard as much as possible.
uyzstvqsabout 2 hours ago
We need cooldowns everywhere, by default. Development package managers, OS package managers, browser extensions. Even auto-updates in standalone apps should implement it. Give companies like Socket time to detect malicious updates. They're good at it, but it's pointless if everyone keeps downloading packages just minutes after they're published.
eranationabout 1 hour ago
Exactly this. For anyone who wants to do it for various package managers:

  ~/.npmrc: 
  min-release-age=7 (npm 11.10+)

  ~/Library/Preferences/pnpm/rc: 
  minimum-release-age=10080 (minutes)

  ~/.bunfig.toml 
  [install]: 
  minimumReleaseAge = 604800 (seconds)
This would have protected the 334 people who downloaded @bitwarden/cli 2026.4.0 ~19h ago (according to https://www.npmjs.com/package/@bitwarden/cli?activeTab=versi...). Same for axios last month (removed in ~3h). Doesn't help with event-stream-style long-dormant attacks but those are rarer.

(plug: released a small CLI to auto-configure these — https://depsguard.com — I tried to find something that will help non developers quickly apply recommended settings, and couldn't find one)

m4r71nabout 1 hour ago
https://cooldowns.dev/#javascript-ecosystem ;-)
srigiabout 1 hour ago
That is why we have discussions like these: https://x.com/i/status/2039099810943304073
sphabout 2 hours ago
> What can I do to prevent it?

My two most precious digital possessions - my email and my Bitwarden account - are protected by a Yubikey that's always on my person (and another in another geographical location). I highly recommend such a setup, and it's not that much effort (I just keep my Yubikey with my house keys)

I got a bit scared reading the title, but I'm doing all I can to be reasonably secure without devolving into paranoia.

ThePowerOfFuetabout 1 hour ago
If the software gets poisoned then your YubiKey will not save you.
hgoelabout 1 hour ago
I think they mean to secure your most valuable accounts with a hardware token rather than in a normal password manager, so they aren't at risk if your password manager has an issue.
streb-loabout 2 hours ago
Use the desktop or web vault directly, don't use the browser plugin.
ffsm8about 2 hours ago
You should use hunter2 as your password on all services.

That password cannot be cracked because it will always display as ** for anyone else.

My password is *****. See? It shows as asterisks so it's totally safe to share. Try it!

... Scnr •́ ‿ , •̀

wing-_-nutsabout 1 hour ago
ah, the old bash.org.
darkwaterabout 2 hours ago
> Russian locale kill switch: Exits silently if system locale begins with "ru", checking Intl.DateTimeFormat().resolvedOptions().locale and environment variables LC_ALL, LC_MESSAGES, LANGUAGE, and LANG

So bold and so cowards at the same time...

NewsaHackOabout 2 hours ago
The worst thing is that you can't even tell if that's "real" or just a false flag.
embedding-shapeabout 2 hours ago
Does it matter? Lots of groups do such checks at startup at this point, because every news outlet who reports on it suddenly believe the group to be Russian if you do, so it's a no brainer to add today to misdirect even a little.
NewsaHackOabout 2 hours ago
My point is that it could still be Russia, as they know that we know it is used as a false flag.
bell-cotabout 2 hours ago
"Discretion is the better part of valor", "Never point it at your own feet", "Russian roulette is best enjoyed as a spectator", and many other sayings seem applicable.
testfrequencyabout 2 hours ago
Smells like blackmail from another nation..
iririririrabout 2 hours ago
ah yes, because everyone sets locale on their npm publish github CI job.

obvious misdirection, but it does serve to make it very obvious it was a state actor.

embedding-shapeabout 2 hours ago
> but it does serve to make it very obvious it was a state actor

Lol no, lots of groups do this, non-state ones too.

hypeateiabout 2 hours ago
That isn't a smoking gun. I think it was the Vault7 leaks which showed that the NSA and CIA deliberately leave trails like this to obfuscate which nation state did it. I'm sure other state actors do this as well, and it's not a particularly "crazy" technique.
mobeigiabout 2 hours ago
KeePass users continue to live the stress free live.

I've managed to avoid several security breaches in last 5 years alone by using KeePass locally on my own infra.

gbalduzzi43 minutes ago
I don't understand how this solves the issue in this case.

Bitwarden vaults were not compromised, there was a problem in a tool you used to access the secrets.

What makes it impossible for KeePass access tools to have these issues?

1024kbabout 2 hours ago
I need my passwords to be accessible from my infrastructure and my phone. How do you achieve this with KeePass? I assumed it was not possible, but in fairness, I haven't really gone down that rabbit hole to investigate.
worbleabout 2 hours ago
Keepass is just a single file, you can share it between devices however you want (google drive, onedrive, dropbox, nextcloud, syncthing, rsync, ftp, etc); as long as you can read and write to it, it just works. There are keepass clients for just about everything (keepassxc for desktops, keepass2android or keepassdx for android, keepassium for iphone).
aborsyabout 1 hour ago
How is the quality of browser extensions compared to Bitwarden?
yolo_420about 2 hours ago
Not op but I mean you can use a public cloud with Cryptomator on top if you don’t trust your password DB on a non E2E cloud. Or you can just use your own cloud (but then no access outside or can risk and open up infra), and then any of the well known clients on your phone. Can optionally sandbox them if possible and then just be mindful of sync conflicts with the DB file but I assume you, like most people, will 99.9% of the time be reading the DB not writing to it.
pipersweabout 2 hours ago
Syncthing can synchronize Keepass files between devices quite well.
jasonjayrabout 2 hours ago
I rely on this too, but counting down the days android no longer lets syncthing touch another app's files :(
alcazarabout 2 hours ago
What happens if you add a new item on two devices simultaneously?
xienzeabout 1 hour ago
I use self-hosted Bitwarden (Vaultwarden) for this. It runs on my local network, and I have it installed on my phone etc. When I’m on my local network, everything works fine. When I’m not on my local network, the phone still has the credentials from the last time it was synced (i.e., last time it was used while the phone was on the home network). It’s a pretty painless way to keep things in sync without ever allowing Bitwarden to be accessible outside my home network.
thepillabout 2 hours ago
For me it is nextcloud + wireguard
walrus01about 2 hours ago
In short, when I make a major password or credential change I do it from my laptop, consider that file on disk to be the "master" copy, and then manually sync the file on a periodic basis to my phone. I treat the file on the phone as read-only. Works fine so far.

To date there have been zero instances when I needed to significantly change a password/service/login/credential solely from my phone and I was unable to access my laptop.

Additionally the file gets synchronized to a workstation that sits in my home office accessible by personal VPN, where it can be accessed in a shell session with the keepass CLI: https://tracker.debian.org/pkg/kpcli

You can use an extremely wide variety of your own choice of secure methods for how to get the file from the primary workstation (desktop/laptop) to your phone.

Matlabout 2 hours ago
I mean there are ways i.e. if you run something like tailscale and can always access your private network etc. but it is a hassle.

Plus, now you're responsible for everything. Backups, auditing etc.

afavourabout 2 hours ago
Which is great for Hacker News users that can maintain their own infra. But if we're talking "stress free", that's not an answer for the average user...
kelvinjps10about 2 hours ago
what "infra"? keepass works locally, and just opens a database file. it works the same as any other password manager.
NoMoreNicksLeftabout 2 hours ago
The average user is reusing their password everywhere, and rotation means changing the numeral 6 at the end of the password to 7.
NegativeKabout 2 hours ago
We should be encouraging those users to switch to a password manager.
pregnenoloneabout 2 hours ago
> KeePass users continue to live the stress free live.

https://cyberpress.org/hackers-exploit-keepass-password-mana...

pertiqueabout 2 hours ago
This article is borderline malicious in how it skirts the facts.

This wasn't a case where KeePass was compromised in any way, as far as I can tell. This appears to be a basic case of a threat actor distributing a trojanized version via malicious ads. If users made sure they are getting the correct version, they were never in danger. That's not to say that a supply chain attack couldn't affect KeePass, but this article doesn't say that it has.

dspillettabout 2 hours ago
That looks like you'd have to download and run a hacked installer that was never avaliable from an official location. That is a much lower risk than a supply-chain attack where anyone building birwarden-cli from the official repo would be infected via the compromised dependency.

Long term keepass users aren't going to be affected. If you mention software to others make sure you send them a link to a known safe download location instead of having them search for one (as new users searching like that are more at risk of stumbling on a malicious copy of the official site hosting a hacked version).

derkadesabout 2 hours ago
This AI generated article is not about vulnerabilities in KeePass, rather about malicious KeePass clones.
jaxefayoabout 1 hour ago
I think most people use keepassxc, not original keepass.
baby_souffleabout 2 hours ago
Happy 1password user for more than a decade.

It's only a matter of time until _they_ are also popped :(.

hypeateiabout 2 hours ago
That's an AI slop article. I'm not sure how someone creating their own installer and buying a few domains to distribute it is a mark against KeePass itself.

> The beacon established command and control over HTTPS

Perz1valabout 1 hour ago
Ok, single file, blah, blah. Realistically how do you sync that and how do you resolve conflicts? What happens if two devices add a password while offline, then go online?
kelvinjps10about 2 hours ago
the only thing I can't find to do with keepass is how back up it in the cloud, like if you encrypt your back up, then where do you save that password, then where do you save the password for the cloud provider?.
hootzabout 2 hours ago
You save the single password in your head. All other passwords go inside Keepass.
qux_ca37 minutes ago
FYI, Raycast users, the bitwarden-cli version used with the bundled bitwarden extension is 2026-03-01, not the compromised one (2026-04-01).

https://github.com/raycast/extensions/blob/6765a533f40ad20cc...

wooptooabout 2 hours ago
This is precisely why I don't use BW CLI. Use pass or gopass for all your CLI tokens and sync them via a private git repo.

Keep the password manager as a separate desktop app and turn off auto update.

isattyabout 2 hours ago
Writing a cli with JavaScript? No thank you.
zieabout 2 hours ago
It's typescript and pretty sure all of the Official Bitwarden clients are written in it.

I wrote a version in Python and then rust back before the official CLI was released. Now you can use https://github.com/doy/rbw instead, much better maintained (since I don't use Bitwarden anymore).

hgoelabout 2 hours ago
Does the CLI auto-update?

Edit: The CLI itself apparently does not, which will have limited the damage a bit, but if it's installed as a snap, it might. Incidents like this should hopefully cause a rollback of this dumb system of forcefully and frequently updating people's software without explicit consent.

Also the time range provided in https://community.bitwarden.com/t/bitwarden-statement-on-che... can help with knowing if you were at risk. I only used the CLI once in the morning yesterday (ET), so I might not have been affected?

zieabout 2 hours ago
I think you had to have installed the CLI during that time-frame, then ran the brand new installed CLI to be vulnerable.

Assuming you had it already installed, you would be safe.

Advertisement
hrimfaxiabout 2 hours ago
> The affected package version appears to be @bitwarden/cli2026.4.0, and the malicious code was published in bw1.js, a file included in the package contents. The attack appears to have leveraged a compromised GitHub Action in Bitwarden’s CI/CD pipeline, consistent with the pattern seen across other affected repositories in this campaign.
post-itabout 2 hours ago
I've dramatically decreased my reliance on third-party packages and tools in my workflow. I switched from Bitwarden to Apple Passwords a few months ago, despite its worse feature set (though the impetus was Bitwarden crashing on login on my new iPad).

I've also been preferring to roll things on my own in my side projects rather than pulling a package. I'll still use big, standalone libraries, but no more third-party shims over an API, I'll just vibe code the shim myself. If I'm going to be using vibe code either way, better it be mine than someone else's.

pixel_poppingabout 2 hours ago
Why not stick to simple/heavily vetted password managers (like keepassx)? is there some advanced feature you use?
Vvectorabout 1 hour ago
Seamless syncing is the primary reason I stick with BW
xmorseabout 1 hour ago
I am working on a project you can self host on Cloudflare with one command, to store secrets and passwords there. It has a cli similar to doppler

https://github.com/remorses/sigillo

0xbadcafebeeabout 1 hour ago
This will continue to happen more and more, until legislation is passed to require a software building code.
ripped_britchesabout 1 hour ago
I have been meaning to move off of Bitwarden. In the past, open source meant more secure. Still could be the case for super important projects, but that is just no longer reality. I’m considering just vibe coding my own, vibe pentesting it, and keeping it private.
raphinou43 minutes ago
From my understanding the checkmarx attack could have been prevented by the asfaload project I'm working on. See https://github.com/asfaload/asfaload

It is:

- open source

- accountless(keys are identity)

- using a public git backend making it easily auditable

- easy to self host, meaning you can easily deploy it internally

- multisig, meaning event if GitHub account is breached, malevolent artifacts can be detected

- validating a download transparantly to the user, which only requires the download url, contrary to sigstore

Scene_Cast2about 2 hours ago
I recently had to disable their Chrome extension because it made the browser grind to a halt (spammed mojo IPC messages to the main thread according to a profiler). I wasn't the only one affected, going by the recent extension reviews. I wonder if it's related.
bstsbabout 2 hours ago
> CLI builds were affected [...]

> Bitwarden’s Chrome extension, MCP server, and other legitimate distributions have not been affected yet.

ozgrakkurtabout 2 hours ago
Their website is also incredibly bad. I am not paying for it so it might be better for paying users.

It is mind boggling how an app that just lists a bunch of items can be so bloated.

sega_saiabout 2 hours ago
So how likely is that these compromises will start affecting the non-cli and non-open-source tools ? For example other password managers (in the form of GUI's or browser extensions).
tracker1about 2 hours ago
I was literally thinking about installing the cli a few days ago to ease the use in a few places. Now I'm glad I didn't.
Advertisement
DiffTheEnderabout 2 hours ago
I wonder if 1Password CLI is a top priority for hackers similarly.
hurricanepootisabout 2 hours ago
This doesn't affect the web extension, no?
citizen4902about 2 hours ago
Bitwarden statement - https://community.bitwarden.com/t/bitwarden-statement-on-che...
masfuerteabout 2 hours ago
> Checkmarx is an information security company specializing in software application security testing and risk management for software supply chains.

The irony! The security "solution" is so often the weak link.

woodruffwabout 2 hours ago
The adage that security companies are often worse at software security than the median non-security company continues to hold water.
esafakabout 2 hours ago
Last month it was trivy: https://github.com/aquasecurity/trivy/security/advisories/GH...
nothinkjustaiabout 2 hours ago
Remember how the White House published that document on memory safe languages? I think it’s time they go one step further and ban new development in JavaScript. Horrible language horrible ecosystem and horrible vulns.
hootzabout 1 hour ago
Supply chain attacks aren't exclusive to JS just like malware isn't exclusive to Windows, it's just that JS/Windows is more popular and widespread. Kill JS and you will get supply chain attacks on the next most popular language with package managers. Kill Windows and you will get a flood of Linux/MacOS malware.
fnoefabout 2 hours ago
I mean, what's the future now? Everyone just vibecoding their own private tools that no "foreign government" has access to? It honestly feels like everything is slowly starting to collapse.

Also didn't Microsoft (the owner of GitHub) got access to Claude Mythos in order to "seCuRe cRitiCal SoftWaRe InfRasTructUre FoR teh AI eRa"? Hows securing GitHub Action going for them?

sigmonsaysabout 3 hours ago
If I run the compromised CLI, do they get all my passwords?
bhoustonabout 2 hours ago
Exactly, that could widen the blast radius of this particular compromise significantly.
kbolinoabout 2 hours ago
No, at least according to Bitwarden themselves: https://community.bitwarden.com/t/bitwarden-statement-on-che...
NeckBeardPrinceabout 2 hours ago
Read the article
valicordabout 2 hours ago
Where does it answer this question in the article?
rtaylorgarlockabout 2 hours ago
kinda crazy to see this comment required in this particular context, yet here we are
hgoelabout 2 hours ago
It's an understandable question, the article reads like an AI generated mess.
ErneXabout 2 hours ago
The article explains what is extracted.
jeroenhdabout 2 hours ago
The article waffles on forever and gives some generic advice.

Meanwhile, Bitwarden themselves state that end users were almost never affected: https://community.bitwarden.com/t/bitwarden-statement-on-che...

You had to install the CLI through NPM at a very short time frame for it to be affected. If you did get infected, you have to assume all secrets on your computer were accessed and that any executable file you had write access to may be backdoored.

valicordabout 2 hours ago
No it doesn't?
ErneXabout 2 hours ago
Yes it does, under technical analysis. I don’t want to paste it here when it’s laid out in the article…
fraywingabout 2 hours ago
Can we please get a break?

Praying to the security gods.

It seems like we've have non-stop supply chain attacks for months now?

dgellowabout 2 hours ago
Expect to continue for years to come
ripped_britchesabout 1 hour ago
This is the break right now, we will smile back on these times
nozzlegearabout 3 hours ago
Another day, another supply chain attack involving GitHub Actions.
adityamwaghabout 2 hours ago
GitHub was down too! Its uptime has been so bad recently.
righthandabout 2 hours ago
It’s the new Npm
palataabout 2 hours ago
Don't GitHub Actions actually use npm?
rvzabout 2 hours ago
Once again, it is in the NPM ecosystem. OneCLI [0] does not save you either. Happens less with languages that have better standard libraries such as Go.

If you see any package that has hundreds of libraries, that increases the risk of a supply chain attack.

A password manager does not need a CLI tool.

[0] https://news.ycombinator.com/item?id=47585838

internetterabout 2 hours ago
> A password manager does not need a CLI tool.

A password manager absolutely does need a CLI tool??

hgoelabout 2 hours ago
I guess anyone/anything using a non-graphical interface should just not use a password manager for some reason?

Not to mention that a graphical application is just as vulnerable to supply chain attacks.

hrimfaxiabout 2 hours ago
> A password manager does not need a CLI tool.

Why not? Even macos keychain supports cli.

gear54rusabout 2 hours ago
The above comment is just a bunch of generalizations not meant to address seriously that's why.
rvzabout 2 hours ago
So the comparison here is that you would rather trust a password manager with a CLI that imports hundreds of third-party dependencies over a first party password manager with a CLI that comes with the OS?

I don't think macOS Keychain uses NPM and it isn't in TypeScript or Javascript and, yes it does not need a CLI either.

The NPM and Java/Typescript ecosystem is part of the problem that encourages developers to import hundreds of third-party libraries, due to its weak standard library which it takes at least ONE transitive dependency to be compromised and it is game over.

trinsic2about 2 hours ago
Yeah Im going to have to agree with this
imiricabout 2 hours ago
> A password manager does not need a CLI tool.

That's a wild statement. The CLI is just another UI.

The problem in this case is JS and the NPM ecosystem. Go would be an improvement, but complexity is the enemy of security. Something like (pass)age is my preference for storing sensitive data.

Advertisement