[whoisjohnkid]

Hmm, even though LastPass doesn’t have access to your pass, couldn’t a malicious software update cause attacker to view your passwords when it runs since the software ultimately has access?

This doesn’t seem to be the case in this incident though.

[g_p]

Yes, absolutely - a compromised development environment might be the first step towards getting implanted code into shipping software, or getting to a signing environment (hopefully highly isolated, but you never know!), with a view to carrying out a supply chain attack.

That's basically what happened in the solarwinds compromise.

[woojoo666]

Yes it's possible that attackers could release a malicious client-side update but it would be immediately noticed and an alarm would be raised. Also I believe lastpass's client-side apps are open source, making it even more obvious when something is changed

[jiveturkey]

I think you are referring to a malicious client software update. It doesn't even have to be that, since a common way to use LP is just over the web.

[NoPicklez]

The software has access, but only using your master password which is also encrypted much like the passwords you have within the app.

So unlikely.