CVE-2026-34841
Impact
This is a supply chain attack involving compromised versions of the axios npm package, which introduced a hidden dependency deploying a cross-platform Remote Access Trojan (RAT).
Users of @usebruno/cli who ran npm install between 00:21 UTC and ~03:30 UTC on March 31, 2026 may have been impacted.
Potential impact includes:
- Execution of a malicious
postinstallscript - Remote Access Trojan (RAT) installation
- Exfiltration of credentials and sensitive data
Not impacted:
- Bruno desktop app users
- Users who installed outside the attack window
Patches
The compromised axios versions (1.14.1, 0.30.4) have been removed from npm, and new installations will now resolve to safe versions.
Additionally, Bruno has taken further hardening steps:
- Pinned
axiosto a known safe version to prevent accidental resolution to malicious releases - Fix implemented in: https://github.com/usebruno/bruno/pull/7632
Recommendation
If users installed @usebruno/cli during the affected window:
- Reinstall dependencies
- Rotate all credentials and secrets:
For additional guidance on securing your system, refer to this article:
https://www.aikido.dev/blog/axios-npm-compromised-maintainer-hijacked-rat
Package Versions Affected
Automatically patch vulnerabilities without upgrading
CVSS Version
Related Resources
References
https://github.com/usebruno/bruno/security/advisories/GHSA-658g-p7jg-wx5g, https://github.com/axios/axios/issues/10604, https://github.com/usebruno/bruno/pull/7632, https://github.com/advisories/GHSA-fw8c-xr5c-95f9, https://github.com/usebruno/bruno, https://www.aikido.dev/blog/axios-npm-compromised-maintainer-hijacked-rat
Basic Information
