Why some security fixes never reach your vulnerability dashboard

A malicious version of Bitwarden CLI was published on npm for 90 minutes in April 2026, stealing developer credentials through a compromised GitHub Action (an automated workflow tool). The incident received a CVE (common vulnerabilities and exposures, an official vulnerability identifier), but the CVE only notified defenders after the fact rather than providing a patch to apply, highlighting how CVE has drifted from its original purpose of identifying code flaws with fixable versions to tracking security incidents.