Hello. I recently saw this → https://socket.dev/blog/bitwarden-cli-compromised and wanted to investigate whether this affected my system or not as the malware poses a serious risk. According to the blogpost, the compromised version is v2026.4.0, which I believe was never released as snap:
$ snap list --all bw
Name Version Rev Tracking Publisher Notes
bw 2026.3.0 95 latest/stable bitwarden✓ disabled
bw 2026.4.1 96 latest/stable bitwarden✓ -
But I’m not sure as I didn’t find a way to check the release history of a snap package.
From Tags · bitwarden/clients · GitHub I see upstream didn’t relese this version either, and they are the ones creating the .snap file. In fact, hashes for rev 95 and 96 match their pre-built binaries.
I have a few open questions though:
From the snapcraft_io side, is there a way to check the release history / download old binaries for a given snap? I think it’s an important mechanism to investigate past incidents.
Would strict confinement be able to prevent this malware from working? I guess so, as the malware runs external commands that should be blocked.
In the snapcraft ecossystem, is the snap publisher (8bit Solutions LLC - bitwarden in this case) the only entity/person responsible for their packages?
I’d appreciate if anyone has anything to share on this.
Would strict confinement be able to prevent this malware from working? I guess so, as the malware runs external commands that should be blocked.
While the snapped malware can’t run system commands on the host (their /usr is mapped to one of the base snaps), nothing is stopping them from running programs already bundled within the snap, in the base snaps, or anything that existed within the confinement of the home and removable-media interfaces if such is connected by the snap.
As for this incident, the malware’s credential stealing behavior is largely limited as it don’t have access to the leading hidden directories of the user home folder, which contain most valuable credentials(SSH/PGP keys, browser session data, shell history, etc.). It however, can access .env environment files that is not right under $HOME, which may contain secrets of the production enviornment.
To be specific the following crossed out credential items are unaffected:
Users should assess the exposure and rotate credentials that may be affected by the incident.
In the snapcraft ecossystem, is the snap publisher (8bit Solutions LLC - bitwarden in this case) the only entity/person responsible for their packages?
