The Changelog: Software Development, Open Source - Bitwarden CLI compromised (News)
Episode Date: April 29, 2026Bitwarden's CLI got hit by the Checkmarx supply-chain campaign, TypeScript 7.0 beta lands with the Go-rewritten compiler running ~10x faster than 6.0, and pgBackRest lost its maintainer of thirteen ye...ars leaving anyone running production Postgres with a real dependency-trust task this week. We've also got Ubuntu 26.04 LTS shipping with TPM-backed full-disk encryption, and Matz dropping Spinel as an AOT path that takes Ruby to native binaries. This week was a good reminder that the tools we depend on are all moving at once. Security, performance, and maintenance aren't isolated threads.
Transcript
Discussion (0)
What's up friends?
Adam here.
This is Change on the News for the week of April 27th, 2026.
Fresh off the press, literally hours old at this point.
Warp is now open source.
Yes, your favorite terminal and mine too, besides ghosty, of course, is now open source.
Years ago, we had Zach on the pod and pressured him.
Highly suggested, I should say, that Warp be open source, and the day is finally here.
they are now open source.
The primary reason is, quote, that we think we can ship a better warp more quickly if we open source and work with our community, end quote.
But congrats, Zach.
I'm excited.
Are you excited?
Okay.
Let's get into the news.
Bitwarden CLI has been compromised.
Yes, BitWarden's official command line tool got hit last Thursday.
Our friends at Socket are on the beat.
They flagged a malicious CLAI.
published to NPM as part of the same checkmarks-themed supply chain campaign that's been going
through developer tooling this past few weeks.
Here's what it matters.
The CLI is now the tool by definition that sits next to our secrets.
And the compromise build was scraping GitHub tokens, AWS, Azure NGCP credentials,
NPM config, SSH keys, the good stuff, right?
Shell profiles, and even your cloud and MCP config files out of these spoofed, audit.
dot checkmarks.c.
So, if you ran Bitwarden, or BW, the command, on a dev machine or a CI runner in the past few weeks,
this is an incident response.
This is not a patch cycle.
And our friends at socket say, quote,
the compromise follows the same GitHub action supply chain vector identified in the broader checkmarks campaign, end quote.
So this is a strategic attack and our dev tools run the crosshairs.
TypeScript 7.0, beta.
TypeScript 7.0 hit beta last Tuesday.
After more than a year of porting from a JavaScript-based bootstruck compiler to a go-rewrite,
the team is shipping it with one headline number, about 10x faster than 6.0.
The big picture, this is the most ambitious thing TypeScript has done since the language shipped.
Microsoft didn't add features.
They rewrote the core in a different language to break a performance.
ceiling that JavaScript bootstrap TSC was never going to clear. And they say stable is within
the next two months. Daniel Ross and Wazer, TypeScript Program Manager from Microsoft says this,
quote, it is highly stable, highly compatible, and ready to put to the test in your daily workflows
in CI pipelines today. So you got your marching orders, use it in your workflows today,
use it in your pipelines today, and enjoy TypeScript 7.0. Abund to 26.04 LTS.
is here. Okay, so Resolute Raccoon shipped on Thursday. Fantastic news for our home labbers out there who are
on the edge of Ubuntu. I know that's what I use in my VMs and containers, so I'm excited to
finally get my templates updated to Ubuntu 26.04 up from 24.04. This is the LTS release. Your
servers will run for the next five years on through April, 2036. So that's a long time. The most
interesting call on the release isn't the kernel or the desktop. It's canonical pumping the brakes
on the Rust Core Util Swap. It's kind of the judgment that makes the LTS worth trusting.
Plain your fleet upgrade window now. I know I am. If Rust Everywhere lands by 26.10 as targeted,
this LTS is the on-rap. And now time for some sponsored news.
Well, I'm here with Nikki Pike from coder.com. Secure environments where devs and agents work in
parallel. Nicky, the thing on my mind this week is the laptop. How secure? How at risk are we?
The laptop is the trap here. And not only because the fact that it could be stolen, you could lose it,
it breaks and you're out of work while you're waiting for a new one, but there's also just the
consistency that you got there. We all know developers. Developers are going to be looking for some of
the latest and greatest. And if you're not really controlling how they get out there, that's where you get
this. It works on my machine. It doesn't work in production. It doesn't work anywhere else because you
don't have that consistency. You don't have that ability to really standardize what that environment
looks like. But there's also the security and the supply chain aspect of this. When you have
local machines out there, look at like the shy Hulud, you know, that virus that went out not long ago.
This was a compromise of the MPM public repositories. They went and downloaded things. MPM did
what it did. Next thing you know, you're compromised. But when you use something like what we're
doing with cloud development environments, then you can mandate and you can put restrictions on there to
say, hey, you can only go get your packages from our private repo. Those packages are expected to
have been thoroughly vetted. We know that they're clean. Now, does this stop everything like Shai Halud? No,
if that compromised package gets into your private repo, you can still have that, but it really
reduces the surface area of the attack. And it also reduces the blast area of the compromise should
it happen, because if your laptop gets compromised and you have to kill the laptop for whatever reason,
That's weeks out of work while you're either fixing that or you're getting a new laptop in.
The cloud development environments allows you to kill that, start back up fresh, and you're back and running in five minutes.
You don't have to wait all that time.
All right, friends, go to coder.com, give our developers room to build and run parallel agents inside secure, self-hosted environments.
Again, coder.com.
Spinal compiles Ruby to native binaries.
Our favorite programmer match drops spinal on Friday.
Thank you, Matt, of course, for Ruby.
It is an ahead-of-time compiler that takes Ruby's source,
emits standalone C, and runs it through DCC,
or C-Line to produce a native binary.
And the benchmarks say it's about 11.6x faster,
and on-compute heavy workloads,
Conway's Game of Life is the canonical example,
and it tops 86x.
And if you ask me, this changes the framing
for what Ruby can be used for.
The immediate obvious win is small C-LAS,
lambda functions, and short-lived processes,
Basically, anywhere C Ruby's startup cost was attacked to you and push you to go or rust, now Ruby is an option.
And here's the cool thing, Ruby on more serious infrastructure.
The cleanest read of this is that Matt is signaling Ruby's future has a typed, pre-compiled lane next to its dynamic one.
The crystal community has been making this case for years, but the difference is this one's coming from Matt himself.
It's not a fork, it's a direction.
PG backrest is no longer being maintained.
After 13 years, David Steele has stepped away from PG Backrest.
The repository is archived.
The Rebby leads with, quote, notice of obsolescence, end quote.
The standard backup tool for production post-grep deployments has lost its maintainer and won't be patched going forward.
This is not a hobby crate gone dormant.
PG Backrest is a tool, a lot of operations teams.
have woven into the fabric of what they do,
their rumbocks, their backup automation,
their disaster recovery plans.
And when the next TVE hits and this maintainer's gone,
it's not getting patched, not eventually, just not at all.
The sentiment can be read directly from David's deal,
quote, rather than do the work poorly and or sporadically,
I think it makes sense to have a hard stop, end quote.
David, good for you to call the ball,
draw the line, and step away as you need to.
So if you run PG back rest,
in production. This is a this week
task. Don't delay it.
And who knows what's to come for
PG backrest. Next week we may have
a new headline about it. We shall
see.
Alright friends, this shows done. Tons
of links in the newsletter.
Check that out as well. Also, tune in
to Change Log 680,
talking to Emilio Wattenberger, explore
with agents, designer,
DataViz veteran, ex-Gitub next,
and now designing intent at
Augment Code. Once again,
change log 680.
And again, thank you to Coder for sponsoring this episode.
That's it. We're done.
We'll see you soon.