CVE-2026-34841
Axios npm Supply Chain Incident Impacting @usebruno/cli
Description
### **Impact** This is a **supply chain attack** involving compromised versions of the `axios` npm package, which introduced a hidden dependency deploying a cross-platform Remote Access Trojan (RAT). Users of **@usebruno/cli** who ran `npm install` between **00:21 UTC and ~03:30 UTC on March 31, 2026** may have been impacted. Potential impact includes: * Execution of a malicious `postinstall` script * Remote Access Trojan (RAT) installation * Exfiltration of credentials and sensitive data **Not impacted:** * Bruno desktop app users * Users who installed outside the attack window ### **Patches** The compromised `axios` versions (`1.14.1`, `0.30.4`) have been **removed from npm**, and new installations will now resolve to safe versions. Additionally, Bruno has taken further hardening steps: * Pinned `axios` to a known safe version to prevent accidental resolution to malicious releases * Fix implemented in: [https://github.com/usebruno/bruno/pull/7632](https://github.com/usebruno/bruno/pull/7632) ### **Recommendation** If users installed **@usebruno/cli** during the affected window: 1. Reinstall dependencies 2. Rotate all credentials and secrets: For additional guidance on securing your system, refer to this article: https://www.aikido.dev/blog/axios-npm-compromised-maintainer-hijacked-rat
How to fix CVE-2026-34841
To remediate CVE-2026-34841, upgrade the affected package to a fixed version below.
- —upgrade to 3.2.1 or later
Is CVE-2026-34841 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 3.2.1