The Bitwarden security team identified and contained a malicious package that was briefly distributed through the npm delivery path for @bitwarden/cli@2026.4.0 between 5:57 PM and 7:30 PM (ET) on April 22, 2026, in connection with a broader Checkmarx supply chain incident. The investigation found no evidence that end user vault data was accessed or at risk, or that production data or production systems were compromised. Once the issue was detected, compromised access was revoked, the malicious ...
I don’t think you’ll find another major repo with so many real-world incidents though. Whether this is because of a systemic problem or just because it’s targeted more frequently, I’m not sure.
As much as some people deride it Javascript is one of the most used languages on the planet.
This is basically the same as people thinking windows is less secure because it’s more often targeted.
JavaScript does have a bit of a problem with dependencies but it isn’t much different than other languages with built in package managers like rust. It’s just a bigger juicer target.
But Windows is less secure. Two things can be true at once. They are in the original topic too.
The Java ecosystem is massive and decades old and I don’t hear one iota of the shit about maven central that I hear about npm.
I guarantee that npm is full up with vibe coded bullshit at this point as well.
I’m not sure what it even takes to upload a package to npm. Not even a pulse. I honestly never looked into it because the whole ecosystem is so rancid.
I don’t think you’ll find another major repo with so many real-world incidents though. Whether this is because of a systemic problem or just because it’s targeted more frequently, I’m not sure.
As much as some people deride it Javascript is one of the most used languages on the planet.
This is basically the same as people thinking windows is less secure because it’s more often targeted.
JavaScript does have a bit of a problem with dependencies but it isn’t much different than other languages with built in package managers like rust. It’s just a bigger juicer target.
But Windows is less secure. Two things can be true at once. They are in the original topic too.
The Java ecosystem is massive and decades old and I don’t hear one iota of the shit about maven central that I hear about npm.
I guarantee that npm is full up with vibe coded bullshit at this point as well.
I’m not sure what it even takes to upload a package to npm. Not even a pulse. I honestly never looked into it because the whole ecosystem is so rancid.
EDIT: Look at how many shits in this are optional (and note the overall quality of the article as well): https://dev.to/aneshodza/publishing-your-first-npm-library-51k2. The ecosystem sucks.