Supply-Chain Attacks Shake GitHub and npm Trust

JDownloader’s official website was compromised and for over a day served malicious Windows and Linux installers after attackers exploited an unpatched access-control bug to alter download links. The JDownloader team confirmed the breach, took the site offline for investigation, and said the main JDownloader.jar, macOS installers, and packages from Winget, Flatpak and Snap were not affected because they use separate infrastructure and signed updates. Attackers replaced alternative Windows installers with unsigned executables and swapped the Linux shell installer with malware; some victims reported Windows Defender being disabled. The incident is a supply-chain-style attack echoing a recent CPUID website breach that similarly delivered malware via tampered downloads.

Security researchers warn of a new Linux-targeting malware that specifically targets developers by infecting development tools and software packages; it can propagate by tampering with packages used by millions. The report — cited by a TecMundo article and shared on Reddit — details how the virus focuses on developer environments and package ecosystems, increasing risk of supply-chain contamination. This matters because compromised build tools or package repositories can silently distribute malware to downstream projects and large user bases, amplifying impact across open-source and commercial software. Devs, sysadmins and platform providers should audit dependencies, verify package integrity, and monitor CI/CD pipelines to mitigate supply-chain threats.

GitHub reported an incident affecting GitHub Actions, disrupting CI/CD workflows for developers. The status page notified users about the outage and offered subscription options for email and SMS updates while the team investigated. The incident matters because GitHub Actions is central to many software delivery pipelines; prolonged or recurring outages can delay deployments, break automated testing, and erode developer trust. GitHub’s incident communications emphasize transparency and customer notifications, but frequent service interruptions highlight operational risks for projects and organizations that rely heavily on hosted developer tooling.

  submitted by   <a href="https://www.reddit.com/user/rkhunter_"> /u/rkhunter_ </a> <br/> <span><a href="https://securelist.com/tr/daemon-tools-backdoor/119654/">[link]</a></span>   <span><a href="https://www.reddit.com/r/programming/comments/1t4aiw5/popular_daemon_tools_software_infected_supply/">[comments]</a></span>

Frizbee is a CLI and library that generates and inserts checksums for GitHub Actions and container image tags to ensure content integrity. Available as a Go install, Homebrew, winget, and a GitHub Action (frizbee-action), it can replace 'uses' fields in workflows or image tags across files or single references, support dry runs, and fail CI when replacements are found. The library exposes replacers and parsing functions for workflows and container manifests, enabling programmatic listing, parsing, and in-place replacement of action and image references. It matters because embedding immutable digests improves supply-chain security and reproducibility for CI/CD and container deployments.

Package Manager CWEs

The author, after years self-hosting Bitwarden (and originally using Vaultwarden on OpenBSD), recommends moving away from Bitwarden due to rising complexity, heavy resource requirements, and investor-driven product shifts. Bitwarden is a freemium, open-source password manager backed by $100M in growth equity; its official server is a C#/.NET stack bundled with MSSQL Express that many admins find unwieldy, leading broad interest in Vaultwarden, a lightweight Rust-compatible unofficial server. Bitwarden’s response—hiring Vaultwarden’s lead and releasing a “unified lite” .NET variant—still consumes far more RAM than Vaultwarden. The author also flags concerns about murkier open-source practices and new dependencies introduced in late 2024, implying increased centralization and potential vendor priorities over user needs.

A long-time Bitwarden user says they no longer recommend the password manager after nearly four years of self-hosting. The author previously ran Vaultwarden, an unofficial Rust backend compatible with Bitwarden clients, on hardened OpenBSD and argues Bitwarden’s official self-hosted server is “enterprise software hell”: a heavyweight C#/.NET stack bundled with MSSQL Express and limited database flexibility, often pushing admins toward Kubernetes. They note Bitwarden, Inc. took $100 million in PSG growth equity in 2022 (with Battery Ventures) and suggest investor pressure can shift priorities. Instead of adopting Vaultwarden, Bitwarden reportedly hired its lead developer and released “Bitwarden unified lite,” still .NET-based and said to use over three times Vaultwarden’s RAM. The author also flags late-2024 concerns about a new client dependency, @bitwarden/sdk-internal, making open-source status murkier.

A long-time Bitwarden user says they no longer recommend the password manager after nearly four years of self-hosting. The author previously ran Vaultwarden (an unofficial Bitwarden-compatible Rust server) on hardened OpenBSD, but argues Bitwarden’s official self-hosted stack is “enterprise software hell”: a heavyweight C#/.NET backend bundled with MSSQL Express and lacking support for common Linux databases like PostgreSQL or MariaDB, often pushing admins toward Kubernetes. They note Bitwarden, Inc. took $100 million in PSG growth equity in 2022 (with Battery Ventures), raising concerns about investor-driven product direction. Instead of adopting Vaultwarden, Bitwarden reportedly hired its lead developer and released “Bitwarden unified lite,” still .NET-based and said to use over 3x Vaultwarden’s RAM. The author also flags late-2024 concerns about a new client dependency, @bitwarden/sdk-internal, making open-source status murkier.

npm's website and status page went down, leaving developers unable to access package information, subscribe for incident alerts, or receive updates. The outage affects the npm registry portal and its notification workflows (email/SMS/OTP), potentially disrupting package installs, dependency resolution, and CI/CD pipelines that rely on npm for JavaScript ecosystem tooling. npm (owned by GitHub/Microsoft) is a central registry used across web and cloud development; outages can cascade into developer productivity slowdowns and blocked releases. No details on root cause or recovery ETA were provided in the content, so teams should monitor official npm status channels and rely on cached packages, mirrors, or private registries as mitigation.

The author explains how Bitwarden and Vaultwarden encrypt secrets stored in their SQLite databases, and provides working Python code to decrypt items similarly to official clients. Prompted by interest in self-hosting to reduce Big Tech dependence and a recent supply-chain compromise of the Bitwarden CLI, the piece walks through the encryption scheme used by Bitwarden/Vaultwarden, how clients perform decryption, and practical steps for building custom tooling to query and recover useful data from a database backup. This matters for users self-hosting password managers, security-conscious operators, and developers who want independent clients or forensic access to encrypted vaults.

Npm Slop & Wonky Software Supply Chains

  submitted by   <a href="https://www.reddit.com/user/simonramstedt"> /u/simonramstedt </a> <br/> <span><a href="https://simonramstedt.com/blog/2026-04-09-npm-slop-and-wonky-software-supply-chains/">[link]</a></span>   <span><a href="https://www.reddit.com/r/programming/comments/1svk4ij/npm_slop_wonky_software_supply_chains/">[comments]</a></span>

  submitted by   <a href="https://www.reddit.com/user/BlondieCoder"> /u/BlondieCoder </a> <br/> <span><a href="https://socket.dev/blog/bitwarden-cli-compromised">[link]</a></span>   <span><a href="https://www.reddit.com/r/programming/comments/1sums6q/bitwarden_cli_compromised_in_ongoing_checkmarx/">[comments]</a></span>

Bitwarden CLI NPM package has been compromised

Security News / Research Trivy Supply Chain Attack Expands to Compromised Docker Images Newly published Trivy Docker images (0.69.4, 0.69.5, and 0.69.6) were found to contain infostealer IOCs and were pushed to Docker Hub without corresponding GitHub releases. By Philipp Burckhardt   -   Mar 22, 2026

Security researchers warn that Glassworm — a threat actor using invisible Unicode characters to hide payloads in source code — has launched a new, large-scale campaign in March 2026. The technique embeds private-use-area (PUA) Unicode in seemingly empty strings; a lightweight decoder reconstructs bytes at runtime and passes them to eval(), enabling second-stage fetch-and-execute behavior that previously used Solana as a delivery channel to steal tokens and secrets. At least 151 GitHub repositories matched the decoder pattern (many already deleted), and the actor has also pushed malicious packages to npm and a VS Code extension, including named packages and repos from Wasmer, Reworm, and OpenCode-related projects. This multi-ecosystem supply-chain push underscores persistent gaps in code review, package vetting, and developer tooling that leave ecosystems vulnerable to stealthy obfuscated attacks.