Executive Summary
Bitwarden confirmed a malicious npm release of @bitwarden/cli@2026.4.0 in the CLI npm delivery path on April 22, 2026. Bitwarden's public statement narrows affected users to npm CLI installs during the vendor-stated window of 5:57 PM to 7:30 PM ET on April 22, 2026, assigns CVE-2026-42994, and states that vault data, production data, and production systems were not found to be compromised [Sources 1 and 5].
JFrog analyzed the malicious package and found that it rewired preinstall and the bw binary entrypoint to bw_setup.js, which bootstrapped Bun 1.3.13 and ran bw1.js. The payload targeted developer and CI credentials, exfiltrated to audit[.]checkmarx[.]cx/v1/telemetry, resolved that domain to 94.154.172[.]43, and used GitHub commit search and repository creation as fallback transport [research.jfrog.com opens in a new tab]. Socket independently tracked the same package/version, endpoint, IP, lock file, and GitHub artifact/workflow abuse patterns [socket.dev opens in a new tab].
The npm registry metadata still records a 2026.4.0 timestamp even though the removed version is absent from the current versions list. Use 2026-04-22T21:22:59Z to start collection and 2026-04-22T23:30:00Z as the initial end bound; classify exposure by exact package/version plus execution evidence, not by generic Bitwarden usage [registry.npmjs.org opens in a new tab].