The Bitwarden security team identified and contained a malicious package that was briefly distributed through the npm delivery path for @bitwarden/cli@2026.4.0 between 5:57 PM and 7:30 PM (ET) on April 22, 2026, in connection with a broader Checkmarx supply chain incident. The investigation found no evidence that end user vault data was accessed or at risk, or that production data or production systems were compromised. Once the issue was detected, compromised access was revoked, the malicious ...
lots of people recommend bitwarden, but i am more at peace with an offline password manager that i control like Keepass. You can also go the GNU route and use “pass” on Linux too
I’ve been trialing Vaultwarden for a while and while I do like the server sync setup and clean web access, the Bitwarden browser plugin is just okay despite being an “enterprise” solution. It misses probably about 20% of websites when creating a new account, forcing you to grab the password from the generator history and make a new entry manually.
KeepassXC is much better in that regard, and it’s almost as good as the default credential handler of Firefox, and it lets you set up a bunch of custom stuff to extend the functionality if you want. Plus it has some neat kbdx options aside from AES256.
Only downside is syncing, which I’m debating how I’ll deal with something better than syncthing on android (protocol is great, android makes it a PITA to have a background process if its not Google spyware).
It misses probably about 20% of websites when creating a new account, forcing you to grab the password from the generator history and make a new entry manually.
This makes me so fucking angry. How can a password manager be so bad at storing passwords, it’s like it’s only job.
It even is generating the password for you! Aaaaaaaaaaaaaah!
lots of people recommend bitwarden, but i am more at peace with an offline password manager that i control like Keepass. You can also go the GNU route and use “pass” on Linux too
Or use a physical key like Yubikey to login
No. Offline password managers are also suspectible to supply chain risk.
So is everything else. But KeePass has been a highly reputable password manager for close to 20 years now.
I don’t think it uses npm though, that’s got to count for something
deleted by creator
Only if yubibkey worked for more than the handful of sites/services. I have one for my bitwarden as majority of places want to send a text or us totp.
Also they only half work in Linux I guess? Something about not being able to create something.
I’ve been trialing Vaultwarden for a while and while I do like the server sync setup and clean web access, the Bitwarden browser plugin is just okay despite being an “enterprise” solution. It misses probably about 20% of websites when creating a new account, forcing you to grab the password from the generator history and make a new entry manually.
KeepassXC is much better in that regard, and it’s almost as good as the default credential handler of Firefox, and it lets you set up a bunch of custom stuff to extend the functionality if you want. Plus it has some neat kbdx options aside from AES256.
Only downside is syncing, which I’m debating how I’ll deal with something better than syncthing on android (protocol is great, android makes it a PITA to have a background process if its not Google spyware).
This makes me so fucking angry. How can a password manager be so bad at storing passwords, it’s like it’s only job. It even is generating the password for you! Aaaaaaaaaaaaaah!
TIL about the generator history
Not super helpful, because every time you open it, it generates a new one, so how do you know which one is the one it generated?
I use Enpass since 1Password became shit. It’s alright.