{"id":"GHSA-658g-p7jg-wx5g","summary":"Axios npm Supply Chain Incident Impacting @usebruno/cli","details":"### **Impact**\n\nThis is a **supply chain attack** involving compromised versions of the `axios` npm package, which introduced a hidden dependency deploying a cross-platform Remote Access Trojan (RAT).\n\nUsers of **@usebruno/cli** who ran `npm install` between **00:21 UTC and ~03:30 UTC on March 31, 2026** may have been impacted.\n\nPotential impact includes:\n\n* Execution of a malicious `postinstall` script\n* Remote Access Trojan (RAT) installation\n* Exfiltration of credentials and sensitive data\n\n**Not impacted:**\n\n* Bruno desktop app users\n* Users who installed outside the attack window\n\n\n### **Patches**\n\nThe compromised `axios` versions (`1.14.1`, `0.30.4`) have been **removed from npm**, and new installations will now resolve to safe versions.\n\nAdditionally, Bruno has taken further hardening steps:\n\n* Pinned `axios` to a known safe version to prevent accidental resolution to malicious releases\n* Fix implemented in: [https://github.com/usebruno/bruno/pull/7632](https://github.com/usebruno/bruno/pull/7632)\n\n\n### **Recommendation**\n\nIf users installed **@usebruno/cli** during the affected window:\n1. Reinstall dependencies\n2. Rotate all credentials and secrets:\n\nFor additional guidance on securing your system, refer to this article:\nhttps://www.aikido.dev/blog/axios-npm-compromised-maintainer-hijacked-rat","aliases":["CVE-2026-34841"],"modified":"2026-04-06T23:49:31.823224Z","published":"2026-04-02T18:34:04Z","database_specific":{"github_reviewed":true,"cwe_ids":["CWE-1395","CWE-494","CWE-506"],"github_reviewed_at":"2026-04-02T18:34:04Z","severity":"CRITICAL","nvd_published_at":"2026-04-06T17:17:10Z"},"references":[{"type":"WEB","url":"https://github.com/usebruno/bruno/security/advisories/GHSA-658g-p7jg-wx5g"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34841"},{"type":"WEB","url":"https://github.com/axios/axios/issues/10604"},{"type":"WEB","url":"https://github.com/usebruno/bruno/pull/7632"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-fw8c-xr5c-95f9"},{"type":"PACKAGE","url":"https://github.com/usebruno/bruno"},{"type":"WEB","url":"https://www.aikido.dev/blog/axios-npm-compromised-maintainer-hijacked-rat"}],"affected":[{"package":{"name":"@usebruno/cli","ecosystem":"npm","purl":"pkg:npm/%40usebruno/cli"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"3.2.1"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-658g-p7jg-wx5g/GHSA-658g-p7jg-wx5g.json","last_known_affected_version_range":"\u003c 3.2.0"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}