Bitwarden’s npm distribution pipeline stayed compromised for approximately 19 hours and 334 developers had enough time to pull the malicious package before it was caught.

It was actually about 90 minutes

Everyone running bw in a CI pipeline just handed the attackers whatever else happened to live on that machine.

only if they installed bw in that time window

Otherwise yes, I agree it’d be better if the CLI was written in a non-JS/TS ecosystem. Perhaps Rust or Go. And the criticisms to list including secrets are super valid.