[jfktn5ntkfl]

I'm more and more worried about a supply chain attack on LastPass/KeePass. To the point that I'm skittish about upgrading them.

It feels to me like we need someone with huge resources, like Microsoft/Gooogle/Apple... to buy them and apply their methods against this attack.

For example, where are the binaries built? Who controls the accounts used to upload the installers? Do they regularly pay security teams to try to find vulnerabilities?

To be clear, I'm not worried about the code, but I'm very worried about the downloadable binaries.

[forty]

(I work for another password manager company). Your questions are fair but not specific to password managers. All software can be victim of this kind of attacks. People tend to think it's worse when their password manager is compromised rather than another software, but the truth is that a troyan in (say) your text editor can very well be used to compromise your device and steal all your passwords.

But you are right, securing the code base and the CI is a big part of making sure a software is secure.

[forty]

Oh, and I cannot comment for the software you listed specifically, but I would strongly recommend that you update regularly software you use. Even if they don't create any vulnerability in their own code, they probably use some code dependencies, and it's unlikely that there are never vulnerabilities in any of those (and as per my previous comment, this is true of all software, not only password managers)

[nexuist]

At least on mobile, Apple and Google are in charge of the supply chain, given their control of the App Store, Play Store, and Chrome Web Store. I would assume that apps with very large user bases go through extended vetting and the company accounts are more locked down than individual developer accounts. For example, I doubt any one person has the credentials to log into App Store Connect and publish a new Facebook binary.

[throwaway24006]

Won't enabling 2FA through TOTP or Yubikeys make your worry go away?