Reply to Bitwarden confirmed @bitwarden/cli@2026.4.0 shipped a malicious payload for 93 minutes April 22. on Sun, 26 Apr 2026 20:45:29 GMT

eingfoan@infosec.exchange — Sun, 26 Apr 2026 20:45:29 GMT

@canartuc Is this client or server update?

Reply to Bitwarden confirmed @bitwarden/cli@2026.4.0 shipped a malicious payload for 93 minutes April 22. on Sun, 26 Apr 2026 18:01:32 GMT

alexreed@mstdn.social — Sun, 26 Apr 2026 18:01:32 GMT

This is why pinned actions with SHA hashes matter.

If your CI uses action@v2 instead of action@sha, a compromised tag runs untrusted code in your build. The Bitwarden incident is the textbook case.

Fix: replace every tag reference with a commit SHA. Add a CI check that rejects unpinned actions.

I scanned 15 workflows in a YC W23 repo and found 60+ unpinned references. The tooling exists. Most teams just have not run it.