Thanks for the update!
What steps are being taken to prevent similar issues in the future? This comment on Github outlines some steps for hardening distribution via npm:
to prevent a user with write access to be able to directly trigger a publish with npm oidc, a few steps have to be done
- use a publish environment and in that environment set up a branch rule to limit it to one or multiple specific release branches. List every branch separately and only keep active release branches. do not use a pattern that would allow creating a new matching branch
- that environment must be configured on the npm package
- the release branches must be protected against unreviewed >pushes (require pull request with at least 1 review)
- add a mandatory approval step to the publish environment (this can theoretically be skipped if you trust the combination of review and environment lock above, but given the scope of bitwarden i’d recommend having it)
And this comment on Xitter suggests that there is a broader vulnerability of CI/CD pipelines:
CI/CD pipelines as the attack vector for supply chain compromise is becoming the pattern. Malicious workflows can bypass every code review process. The publish step is the weakest link.
Are there any plans to audit and harden publishing pipelines for the other clients?