← statichum.studio

May 2, 2026

End-User Package Install Firewall With Cooldown for the Bitwarden, Axios, and Other Compromised CLI Tools Real Humans Install

developer tool weekend_project ••• trending

The April 22 Bitwarden CLI compromise (1,478 upvotes on r/selfhosted, 293 on r/programming) hit during a 93-minute window when a malicious npm package was the latest version. Earlier in the same period, an Axios CLI compromise sprayed credential-stealing postinstall scripts at anyone who ran npm install. r/programming has a separate thread (71 upvotes) about using CEL to enforce 'reject any dependency published in the last N hours' — the cooldown defense — but every existing implementation (Socket, Phylum, vet/safedep, Snyk) targets enterprise CI builds, not the homelab hobbyist running `npm i -g @bitwarden/cli` on their laptop or the founder doing `pip install something-cool` on a fresh AWS instance. The unmet wedge is a personal install firewall that runs on the dev's workstation, intercepts npm/pip/brew/cargo/go installs, and refuses brand-new-version installs of high-value packages until they've baked in the wild for N hours.

builder note

The MVP fits in a weekend: a Bash/Zsh function that intercepts `npm install`, queries the registry's publish date, and prompts to confirm if the version is younger than N hours. Ship for npm first, then pip, then brew. The product question that actually matters is curation — having a sensible default allowlist (lockfile-pinned reproducible builds skip the check, popular long-lived package versions skip the check) so the tool doesn't get torn out the first time it slows down a CI rerun. Distribution: Show HN, post to r/selfhosted next time a CLI compromise happens (which, sadly, will be soon).

landscape (5 existing solutions)

Enterprise tooling for supply-chain security is mature and well-funded. Personal tooling for the actual people who got popped by the Bitwarden CLI compromise — homelabbers, indie devs, founders, sysadmins doing one-off installs — is a wasteland. The wedge is a transparent shim that wraps npm/pip/brew/cargo/go install, asks the registry for the package's publish date, and refuses any version published in the last 24 (configurable) hours unless explicitly overridden. It needs to be a single binary, work without a subscription, and ship a reasonable allowlist of historically-safe packages so it doesn't false-positive the user into rage-uninstalling it on day three.

Socket B2B-priced supply chain scanner. Aimed at engineering orgs and CI pipelines. No personal/individual install workflow.
vet (safedep) Has the cooldown primitive via CEL policies. Built for CI gating; running it on a personal workstation as an npm wrapper is undocumented and unergonomic.
Phylum Acquired by Veracode in 2024. Now firmly enterprise-priced. Personal/freelancer use case is not served.
npm --ignore-scripts / pip --no-deps The Axios attack thread explicitly notes --ignore-scripts breaks sqlite3 and bcrypt. Not a real defense for users who need a working install.
Open-source attempts (Ward, Trustlock, npm install sandbox CLIs from r/node) Several hobby projects in r/node show people are trying to fill this. None has UX or distribution sufficient to win the category — they're CLI prefixes the user has to remember to use.

sources (4)

reddit https://old.reddit.com/r/selfhosted/comments/1stjtay/bitward... "Disliked that it required npm in the first place, so I tried the Linux download. Yeah, same thing. Do you consider providing a CLI alternative that doesn't use any third-party eco system? I mean..." 2026-04-23
reddit https://old.reddit.com/r/programming/comments/1stoumz/bitwar... "Bitwarden CLI Compromised in Ongoing Checkmarx Supply Chain" 2026-04-23
reddit https://old.reddit.com/r/programming/comments/1sbb7jv/using_... "Supply chain attacks often rely on speed... One defense is a cooldown period: refuse any dependency published within the last N hours." 2026-03-31
reddit https://old.reddit.com/r/node/comments/1sepcyi/the_axios_pos... "The axios postinstall RAT stole env vars and ~/.aws credentials. --ignore-scripts breaks sqlite3 and bcrypt." 2026-03-19
securitysupply-chainnpmpypiclihomelabdefense