CVE-2026-34841
Axios npm Supply Chain Incident Impacting @usebruno/cli
描述
### **Impact** This is a **supply chain attack** involving compromised versions of the `axios` npm package, which introduced a hidden dependency deploying a cross-platform Remote Access Trojan (RAT). Users of **@usebruno/cli** who ran `npm install` between **00:21 UTC and ~03:30 UTC on March 31, 2026** may have been impacted. Potential impact includes: * Execution of a malicious `postinstall` script * Remote Access Trojan (RAT) installation * Exfiltration of credentials and sensitive data **Not impacted:** * Bruno desktop app users * Users who installed outside the attack window ### **Patches** The compromised `axios` versions (`1.14.1`, `0.30.4`) have been **removed from npm**, and new installations will now resolve to safe versions. Additionally, Bruno has taken further hardening steps: * Pinned `axios` to a known safe version to prevent accidental resolution to malicious releases * Fix implemented in: [https://github.com/usebruno/bruno/pull/7632](https://github.com/usebruno/bruno/pull/7632) ### **Recommendation** If users installed **@usebruno/cli** during the affected window: 1. Reinstall dependencies 2. Rotate all credentials and secrets: For additional guidance on securing your system, refer to this article: https://www.aikido.dev/blog/axios-npm-compromised-maintainer-hijacked-rat
如何修補 CVE-2026-34841
要修補 CVE-2026-34841,請將受影響套件升級到下列已修補版本。
- —升級至 3.2.1 或更新版本
CVE-2026-34841 正在被利用嗎?
低 — EPSS 為 0.0%,目前沒有觀察到大規模利用活動。
受影響套件(1)
- from 0, < 3.2.1