The Bitwarden security team identified and contained a malicious package that was briefly distributed through the npm delivery path for @bitwarden/
[email protected] between 5:57 PM and 7:30 PM (ET) on April 22, 2026, in connection with a broader Checkmarx supply chain incident. Was I affected? If you use the Bitwarden command line interface and deploy using NPM, and downloaded the CLI between 5:57p ET and 7:30p ET on April 22, 2026, you may be affected. See remediation steps below. If you do not u...
What about using pip just to download basic common libraries for offline use?
Don’t do it.
Because they could be changed or have something sneak in the library?
Yeah, without signature checking anything that you download could change to anything else.
That’s a remote code execution vuln.