Testing 1Password In October of 2023, I reported a vulnerability to 1Password regarding their op (a.k.a. 1password-cli) program. In my report I detailed that their approach to prompting users only once, and then leaving the vault open to the CLI was easily exploited in supply-chain scenarios, especially when a threat actor targets developer toolchains. There are two attack paths I highlighted, and I supplied them with a proof for one of them. This demo was tested across the three most recent ver...