Bitwarden CLI compromised - Vaultwarden affected?

[DasIgeli]

So I just read the news below and I am wondering whether I should start changing passwords?

https://thehackernews.com/2026/04/bitwarden-cli-compromised-in-ongoing.html?m=1

[stefan0xC]

If I understood the issue correctly an npm package called @bitwarden/cli with version 4.0 was released that was compromised, so this is totally independent of Vaultwarden. Cf. Bitwarden Statment on the incident. i.e.

Only users who installed Bitwarden CLI 2026.4.0 via NPM during the affected window are impacted.

[DasIgeli]

This is, what I have understood as well however I was/am worried that the underlying architecture of Vaultwarden uses the CLI.

If not, than that is clarified and I can sleep well tonight

[stefan0xC]

No, it does not use the CLI since we only build the web-vault. So the only reference to the @bitwarden/cli would be in the shared package-lock.json file of the clients repository but since the specified version 2026.3.0 is not affected and it would also be resolved to a (deleted) workspace folder in our fork this would never have fetched the compromised package from the npm registry when installing dependencies with npm ci.

[DasIgeli]

Thanks for the clarification!