Trellix Confirms Source Code Repository Breach, Investigates Unauthorized Access Cybersecurity firm Trellix disclosed a security breach involving unauthorized access to a portion of its source code repositories. The company detected the compromise "recently" and has since engaged leading forensic experts to investigate the incident, while also notifying law enforcement. Trellix stated that its investigation has found no evidence that the accessed source code was exploited or that its release and distribution processes were impacted. However, the company did not specify the exact data accessed, the duration of the breach, or the threat actors responsible. Additional details will be shared as the investigation progresses. Formed in January 2022 through the merger of McAfee Enterprise and FireEye, Trellix is owned by Symphony Technology Group. The breach follows Google’s $5.4 billion acquisition of Mandiant, which was previously part of FireEye, around the same time. The incident remains under active investigation.

Bitwarden CLI Compromised in Supply Chain Attack Targeting npm On April 22, 2026, attackers briefly compromised the Bitwarden CLI by uploading a malicious version of the `@bitwarden/cli` npm package (version 2026.4.0). The package, available between 5:57 PM and 7:30 PM ET, contained a credential-stealing payload designed to spread to other projects. Bitwarden confirmed the incident, stating the breach was limited to its npm distribution channel and did not affect end-user vault data, production systems, or the legitimate CLI codebase. The company revoked compromised access, deprecated the malicious release, and initiated remediation. ### Attack Details Security firms Socket, JFrog, and OX Security reported that threat actors likely exploited a compromised GitHub Action in Bitwarden’s CI/CD pipeline to inject malicious code. The package included a preinstall script and a custom loader (`bw_setup.js`) that checked for the Bun runtime downloading it if absent before executing an obfuscated JavaScript file (`bw1.js`). The malware targeted: - npm and GitHub authentication tokens - SSH keys - Cloud credentials (AWS, Azure, Google Cloud) Stolen data was encrypted with AES-256-GCM and exfiltrated via public GitHub repositories under victims’ accounts, marked with the string "Shai-Hulud: The Third Coming" a reference to prior npm supply chain attacks. The malware also had self-propagating capabilities, using stolen credentials to inject malicious code into other packages. ### Connections to Other Attacks The attack shares infrastructure and malware overlaps with a recent Checkmarx supply chain breach, including: - The same telemetry endpoint (`audit.checkmarx[.]cx/v1/telemetry`) - Identical obfuscation routines (`__decodeScrambled` with seed `0x3039`) - Similar credential theft and GitHub-based exfiltration tactics Both campaigns have been attributed to TeamPCP, a threat actor previously linked to attacks on Trivy and LiteLLM. Bitwarden’s investigation found no evidence of broader compromise, but developers who installed the affected version were advised to rotate exposed credentials, particularly those tied to CI/CD pipelines and cloud environments.

Critical Vulnerabilities Exposed in Major Cloud Password Managers Researchers from ETH Zurich’s Applied Cryptography Group have uncovered 25 severe security flaws in popular cloud-based password managers, including Bitwarden, LastPass, and Dashlane, which collectively serve around 60 million users worldwide. The findings challenge the long-held assumption of "zero-knowledge encryption" a security model where data remains encrypted even if servers are compromised. Led by Professor Kenneth Paterson, the team simulated a malicious server threat model, testing how browser extensions responded when servers were compromised. The results revealed client-side vulnerabilities that could allow attackers with server access to view, modify, or delete stored passwords, logins, and sensitive data. Bitwarden was found to have 12 vulnerabilities, LastPass 7, and Dashlane 6, with some flaws enabling full organization vault compromises or unauthorized access via sync manipulation. Key issues stem from outdated cryptographic practices and user-friendly features like password recovery and sharing, which introduce complexity and expand the attack surface. Doctoral student Matteo Scarlata noted that many vendors rely on 1990s-era encryption to avoid disrupting users or causing downtime, undermining the security guarantees of zero-knowledge architectures. The vulnerabilities, assigned CVE IDs with CVSS scores ranging from 7.5 to 8.5, include: - Bitwarden: Unauthorized vault access, integrity violations in shared credentials, and full organization vault compromise. - LastPass: Password recovery bypass and credential modification attacks. - Dashlane: Legacy crypto decryption leaks. The researchers followed responsible disclosure, giving vendors 90 days to address the flaws. While patches are now being rolled out, the findings highlight a critical weakness: even encrypted data can be manipulated if servers are compromised. The incident underscores the need for regular external audits, transparent security practices, and migration to modern cryptographic standards rather than relying on incremental fixes.

Bitwarden, a widely used password manager with millions of users, was found vulnerable to unpatched clickjacking flaws that allow attackers to steal account credentials, 2FA codes, and credit card details via malicious websites or XSS-compromised pages. The exploit manipulates UI opacity and overlays to trick users into triggering autofill actions, leaking sensitive data without their knowledge. While Bitwarden acknowledged the issue, they initially downplayed its severity before releasing a partial fix in version 2025.8.0. However, earlier versions (e.g., 2025.7.0) remained exposed, putting users at risk of credential theft, financial fraud, and identity compromise. The flaw was publicly disclosed at DEF CON 33, increasing the likelihood of exploitation by threat actors. Users were advised to disable autofill or update immediately to mitigate risks, though residual vulnerabilities may persist in certain attack scenarios.