Password managers are all about trust, the main link is about a compromise, so it's not surprising that the first comment is also about trust too, even if it's not directly about this particular compromise.
I found the default bwcli clunky and unacceptable, and it's why I don't use it, even though I still have a BitWarden subscription.
Where's the evidence that 1024kb's issue had anything to do with bw? How is that vaguely recalled anecdote a trust issue with bw? It was probably caused by accidentally copying something to the clipboard or some other buffer which was then transferred via ssh and imported into weechat, possibly with the help of custom terminal, ssh, tmux, or weechat settings making it too easy for data to be slung around like that.
I can't think of a plausible explanation for how bw is at fault for its terminal output ending up, across a ssh session and tmux invocation, in the chat history of weechat. Even if bw auto-copied its output to the clipboard (which as far as I could tell by glancing at the cli options, it doesn't and can't), and the clipboard is auto-copied to remote hosts, clipboard contents shouldn't appear in an irc client's history without explicit hacking to do that.
The claim is just noise, particularly because it doesn't seem to have ever been investigated.
It seems prudent, if someone wants to use a cli, to use rbw rather than bw, or even just pass or keypassxc-cli (and self-managed cloud backup or syncing). However, that's based on bw being a javascript mess, not based on the unlikely event of bw injecting its output through ssh into irc clients.
The behavior of `bw list` is the serious breach of trust.
> I believe it was `bw list` that I ran, assuming it would list the names of all my passwords, but too my surprise, it listed everything, including passwords and current totp codes.
This issue is cleary bitwarden's issue, and is an insane design that's extremely unfriendly. I just searched again and apparently, yes, `bw list` just dumps all the plaintext passwords out to the terminal! Doing an `ls` on a directory doesn't dump all the file contents, doing `list` should not reveal the secrets everywhere, and a design that includes dumping all passwords in plaintext from a listing is frankly panic inducing. I always take care not to cat secret key material to the screen, and even try to avoid piping it places.
Whatever else happened after having your entire password vault dumped to a terminal screen is probably unconnected to `bw` in any way, and 1024kb doesn't blame bitwarden for that directly, and says "I have no idea how this happened, but it was quite terrifying." which doesn't blame `bw` for the copying. The sin was dumping everything to the terminal.
Data on a terminal screen should be easy to be slung around, that's the entire point of a terminal screen. So it should be very hard to dump all your secrets to the terminal, there shouldn't even be a "dump all plaintext passwords to stdout" without some serious `--yes-i-mean-it` flags, much less the most basic command one can imagine using when trying to look up the name of a secret.
I found the default bwcli clunky and unacceptable, and it's why I don't use it, even though I still have a BitWarden subscription.