Bitwarden's CLI npm package was compromised in a Checkmarx-linked supply chain attack. Malicious code was found in an npm package version, but no user data seems to have been accessed. Other Bitwarden products remain unaffected.
That doesn’t make you safe from supply chain attacks generally. There’s no reason a supply chain attack couldn’t be applied to software repos you do use if a vulnerability exists within them and a bad actor is sufficiently motivated to exploit it.
But here it would be arguably harder. Need to first get in the repos, and requires the user to log in to the password vault. Syncthing is easier to compromise, but good luck decrypting the vault
That doesn’t make you safe from supply chain attacks generally. There’s no reason a supply chain attack couldn’t be applied to software repos you do use if a vulnerability exists within them and a bad actor is sufficiently motivated to exploit it.
Oh definitely. Not saying it’s impossible
But here it would be arguably harder. Need to first get in the repos, and requires the user to log in to the password vault. Syncthing is easier to compromise, but good luck decrypting the vault