News linked to both this project and an event.
SlowMist CISO 23pds (@im23pds) disclosed that the Bitwarden CLI version 2026.4.0 was subjected to a Checkmarx supply-chain attack between 17:57 and 19:30 ET on April 22. During this window, attackers abused a GitHub Action within Bitwarden’s CI/CD pipeline to briefly distribute a malicious package via npm. The official statement confirmed that Vault data was not compromised and production systems remained unaffected; only users who installed this specific version via npm during the aforementioned time window were impacted. Affected users are advised to immediately uninstall version 2026.4.0, clear their npm cache, rotate sensitive credentials—including API tokens and SSH keys—investigate anomalous activity in GitHub and CI environments, and upgrade to the patched version 2026.4.1.
According to BlockSec Phalcon, the HandlerV1 contract managed by Hyperbridge on the Ethereum network was found to contain a Merkle Mountain Range (MMR) proof replay vulnerability, resulting in approximately $242,000 in losses. The vulnerability stems from the lack of binding between proofs and requests, enabling attackers to replay historical valid proofs alongside newly forged requests to perform malicious actions—such as altering administrator privileges. In the specific incident, the attacker changed the Polkadot (DOT) token administrator and then exploited those privileges to mint additional DOT tokens for profit. Observed attack transactions include: changing the DOT token administrator and minting new tokens (losses of ~$237,400), changing the ARGN token administrator and minting new tokens (losses of ~$3,800), and host withdrawal operations. The vulnerability was discovered by PhalconSecurity and analyzed via PhalconExplorer. Previously, the Hyperbridge gateway contract was attacked, leading to the unauthorized minting and subsequent dumping of 1 billion DOT tokens on Ethereum.