Bitwarden confirmed @bitwarden/cli@2026.4.0 shipped a malicious payload for 93 minutes April 22. Vector: Checkmarx's ast-github-action inside Bitwarden's build pipeline. The build carried "Shai-Hulud: The Third Coming" and stole GitHub tokens, npm tokens, SSH keys, .env files, cloud credentials. Anyone running npm install in that window had every credential compromised. Supply-chain attacks shop upstream of you, not at you.
C
canartuc@mastodon.social
@canartuc@mastodon.social
Posts
-
Bitwarden confirmed @bitwarden/cli@2026.4.0 shipped a malicious payload for 93 minutes April 22. -
Linus Torvalds merged a 138,161-line removal into Linux 7.1 on April 24.Linus Torvalds merged a 138,161-line removal into Linux 7.1 on April 24. Out went AX.25 amateur radio, ISDN, ATM, plus Andrew Lunn's 18 legacy Ethernet drivers. Cause: AI-generated bug reports against code with no users, no maintainers. Lunn's series merged in three days; mailing-list timeline is usually six weeks. AI bug reports are a maintenance burden. The kernel paid by deleting. Every project on volunteer triage faces this arithmetic.
-
Andrew Lunn, a Linux networking maintainer, posted a patch series April 21.Andrew Lunn, a Linux networking maintainer, posted a patch series April 21. Target: 18 legacy Ethernet drivers (3Com, AMD PCnet, SMSC, Cirrus, Fujitsu, Xircom, 8390). Scope: 27,600 lines of 25-to-35-year-old hardware. The code works. The hardware boots. The reason is AI fuzzer and bug-reporter traffic maintainers triage for free. Counter-offer: community maintainer-of-record. AI bug-report noise is the first maintenance cost kernel maintainers name in public.