The Bitwarden security team identified and contained a malicious package that was briefly distributed through the npm delivery path for @bitwarden/cli@2026.4.0 between 5:57 PM and 7:30 PM (ET) on April 22, 2026, in connection with a broader Checkmarx supply chain incident. The investigation found no evidence that end user vault data was accessed or at risk, or that production data or production systems were compromised. Once the issue was detected, compromised access was revoked, the malicious ...
I know this is a joke but im old enough we used to install the os and had it on the network and eventually update it but then it got to the point were like being connected to the internet for like a minute and the machines were compromised. Thats when we got off our duffs and started making custom installs that had updates and configurations and software pre installed before we even connected it to the net.
Unfortunately I have to use node for home project (Jellyfin tizen)
I was wondering: would it be possible to run node in a sandbox to lower the scope of the attack? (i.e. not compromise my home computer)
Or is maybe a full VM a better solution?
Don’t. Use. Npm.
That applies to pip and crate and all the other shitty lang package managers that totally fail at security
so many workplaces I have been at used npm.
Honestly just fine use computers at all, completely eliminate the remote attack vector. And only drink rain water since city water can be compromised.
Or, recognize this is a normal part of using software and have more than 1 thing between you and a breach
The rules of cybersecurity:
Under no circumstances should you own a computer.
If you absolutely must own a computer, under no circumstances should you connect it to the internet.
If you absolutely must connect it to the internet, it’s too late and they already have you
I know this is a joke but im old enough we used to install the os and had it on the network and eventually update it but then it got to the point were like being connected to the internet for like a minute and the machines were compromised. Thats when we got off our duffs and started making custom installs that had updates and configurations and software pre installed before we even connected it to the net.
Dude, rain water is full of pollutants too. 😂
Apt works great
it’s much more convenient when you use something like btrfs-snapshots
what about cargo?
Same problem.
use https://mozilla.github.io/cargo-vet/
What should be used instead?
A package manager that uses cryptographic signatures. Apt had this since 2005 iirc. Use apt.
Easy, just vendor all your dependencies! Can’t have a supply chain attack if you are the supply chain.
Unfortunately I have to use node for home project (Jellyfin tizen)
I was wondering: would it be possible to run node in a sandbox to lower the scope of the attack? (i.e. not compromise my home computer) Or is maybe a full VM a better solution?
Jellyfin is available in apt
Full VM and network isolation. and dont put anything important there (nor a reused password for auth)
Technically you can use node without npm.
Wouldn’t verion pinning solve this problem?