GHSA-658G-P7JG-WX5G

Vulnerability from github – Published: 2026-04-02 18:34 – Updated: 2026-04-06 23:41
VLAI?
Summary
Axios npm Supply Chain Incident Impacting @usebruno/cli
Details

Impact

This is a supply chain attack involving compromised versions of the axios npm package, which introduced a hidden dependency deploying a cross-platform Remote Access Trojan (RAT).

Users of @usebruno/cli who ran npm install between 00:21 UTC and ~03:30 UTC on March 31, 2026 may have been impacted.

Potential impact includes:

  • Execution of a malicious postinstall script
  • Remote Access Trojan (RAT) installation
  • Exfiltration of credentials and sensitive data

Not impacted:

  • Bruno desktop app users
  • Users who installed outside the attack window

Patches

The compromised axios versions (1.14.1, 0.30.4) have been removed from npm, and new installations will now resolve to safe versions.

Additionally, Bruno has taken further hardening steps:

Recommendation

If users installed @usebruno/cli during the affected window: 1. Reinstall dependencies 2. Rotate all credentials and secrets:

For additional guidance on securing your system, refer to this article: https://www.aikido.dev/blog/axios-npm-compromised-maintainer-hijacked-rat

Severity ?
9.8 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 3.2.0"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@usebruno/cli"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-34841"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1395",
      "CWE-494",
      "CWE-506"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-02T18:34:04Z",
    "nvd_published_at": "2026-04-06T17:17:10Z",
    "severity": "CRITICAL"
  },
  "details": "### **Impact**\n\nThis is a **supply chain attack** involving compromised versions of the `axios` npm package, which introduced a hidden dependency deploying a cross-platform Remote Access Trojan (RAT).\n\nUsers of **@usebruno/cli** who ran `npm install` between **00:21 UTC and ~03:30 UTC on March 31, 2026** may have been impacted.\n\nPotential impact includes:\n\n* Execution of a malicious `postinstall` script\n* Remote Access Trojan (RAT) installation\n* Exfiltration of credentials and sensitive data\n\n**Not impacted:**\n\n* Bruno desktop app users\n* Users who installed outside the attack window\n\n\n### **Patches**\n\nThe compromised `axios` versions (`1.14.1`, `0.30.4`) have been **removed from npm**, and new installations will now resolve to safe versions.\n\nAdditionally, Bruno has taken further hardening steps:\n\n* Pinned `axios` to a known safe version to prevent accidental resolution to malicious releases\n* Fix implemented in: [https://github.com/usebruno/bruno/pull/7632](https://github.com/usebruno/bruno/pull/7632)\n\n\n### **Recommendation**\n\nIf users installed **@usebruno/cli** during the affected window:\n1. Reinstall dependencies\n2. Rotate all credentials and secrets:\n\nFor additional guidance on securing your system, refer to this article:\nhttps://www.aikido.dev/blog/axios-npm-compromised-maintainer-hijacked-rat",
  "id": "GHSA-658g-p7jg-wx5g",
  "modified": "2026-04-06T23:41:01Z",
  "published": "2026-04-02T18:34:04Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/usebruno/bruno/security/advisories/GHSA-658g-p7jg-wx5g"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34841"
    },
    {
      "type": "WEB",
      "url": "https://github.com/axios/axios/issues/10604"
    },
    {
      "type": "WEB",
      "url": "https://github.com/usebruno/bruno/pull/7632"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-fw8c-xr5c-95f9"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/usebruno/bruno"
    },
    {
      "type": "WEB",
      "url": "https://www.aikido.dev/blog/axios-npm-compromised-maintainer-hijacked-rat"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Axios npm Supply Chain Incident Impacting @usebruno/cli"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.