{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34841", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-30T20:52:53.285Z", "datePublished": "2026-04-06T16:08:08.198Z", "dateUpdated": "2026-04-06T18:44:13.939Z"}, "containers": {"cna": {"title": "Axios npm Supply Chain Incident Impacting @usebruno/cli", "problemTypes": [{"descriptions": [{"cweId": "CWE-494", "lang": "en", "description": "CWE-494: Download of Code Without Integrity Check", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-506", "lang": "en", "description": "CWE-506: Embedded Malicious Code", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/usebruno/bruno/security/advisories/GHSA-658g-p7jg-wx5g", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/usebruno/bruno/security/advisories/GHSA-658g-p7jg-wx5g"}, {"name": "https://github.com/axios/axios/issues/10604", "tags": ["x_refsource_MISC"], "url": "https://github.com/axios/axios/issues/10604"}, {"name": "https://github.com/usebruno/bruno/pull/7632", "tags": ["x_refsource_MISC"], "url": "https://github.com/usebruno/bruno/pull/7632"}, {"name": "https://www.aikido.dev/blog/axios-npm-compromised-maintainer-hijacked-rat", "tags": ["x_refsource_MISC"], "url": "https://www.aikido.dev/blog/axios-npm-compromised-maintainer-hijacked-rat"}], "affected": [{"vendor": "usebruno", "product": "bruno", "versions": [{"version": "< 3.2.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T16:08:08.198Z"}, "descriptions": [{"lang": "en", "value": "Bruno is an open source IDE for exploring and testing APIs. Prior to 3.2.1, Bruno was affected by a supply chain attack involving compromised versions of the axios npm package, which introduced a hidden dependency deploying a cross-platform Remote Access Trojan (RAT). Users of @usebruno/cli who ran npm install between 00:21 UTC and ~03:30 UTC on March 31, 2026 may have been impacted. Upgrade to 3.2.1"}], "source": {"advisory": "GHSA-658g-p7jg-wx5g", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-06T18:44:04.650872Z", "id": "CVE-2026-34841", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T18:44:13.939Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34841", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-06T18:44:04.650872Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T18:44:10.302Z"}}], "cna": {"title": "Axios npm Supply Chain Incident Impacting @usebruno/cli", "source": {"advisory": "GHSA-658g-p7jg-wx5g", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "usebruno", "product": "bruno", "versions": [{"status": "affected", "version": "< 3.2.1"}]}], "references": [{"url": "https://github.com/usebruno/bruno/security/advisories/GHSA-658g-p7jg-wx5g", "name": "https://github.com/usebruno/bruno/security/advisories/GHSA-658g-p7jg-wx5g", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/axios/axios/issues/10604", "name": "https://github.com/axios/axios/issues/10604", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/usebruno/bruno/pull/7632", "name": "https://github.com/usebruno/bruno/pull/7632", "tags": ["x_refsource_MISC"]}, {"url": "https://www.aikido.dev/blog/axios-npm-compromised-maintainer-hijacked-rat", "name": "https://www.aikido.dev/blog/axios-npm-compromised-maintainer-hijacked-rat", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Bruno is an open source IDE for exploring and testing APIs. Prior to 3.2.1, Bruno was affected by a supply chain attack involving compromised versions of the axios npm package, which introduced a hidden dependency deploying a cross-platform Remote Access Trojan (RAT). Users of @usebruno/cli who ran npm install between 00:21 UTC and ~03:30 UTC on March 31, 2026 may have been impacted. Upgrade to 3.2.1"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-494", "description": "CWE-494: Download of Code Without Integrity Check"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-506", "description": "CWE-506: Embedded Malicious Code"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T16:08:08.198Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34841", "state": "PUBLISHED", "dateUpdated": "2026-04-06T18:44:13.939Z", "dateReserved": "2026-03-30T20:52:53.285Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-06T16:08:08.198Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Bruno is an open source IDE for exploring and testing APIs. Prior to 3.2.1, Bruno was affected by a supply chain attack involving compromised versions of the axios npm package, which introduced a hidden dependency deploying a cross-platform Remote Access Trojan (RAT). Users of @usebruno/cli who ran npm install between 00:21 UTC and ~03:30 UTC on March 31, 2026 may have been impacted. Upgrade to 3.2.1"}], "id": "CVE-2026-34841", "lastModified": "2026-04-06T17:17:10.590", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-06T17:17:10.590", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/axios/axios/issues/10604"}, {"source": "security-advisories@github.com", "url": "https://github.com/usebruno/bruno/pull/7632"}, {"source": "security-advisories@github.com", "url": "https://github.com/usebruno/bruno/security/advisories/GHSA-658g-p7jg-wx5g"}, {"source": "security-advisories@github.com", "url": "https://www.aikido.dev/blog/axios-npm-compromised-maintainer-hijacked-rat"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-494"}, {"lang": "en", "value": "CWE-506"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.2.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "bruno", "source": "cna", "vendor": "usebruno"}, "product": "bruno", "vendor": "usebruno"}], "analysis": {"en": {"generated_at": "2026-04-06T19:38:05.484042+00:00", "value": {"mitigation_remediation": ["Update Bruno to version 3.2.1 or later to replace the compromised Axios dependency.", "Reinstall all project dependencies with a clean npm cache to remove any malicious packages.", "Verify package lock files and run npm audit to ensure no other vulnerable dependencies remain.", "Consider enabling package integrity checks (e.g., npm ci or npm audit) to prevent future supply\u2011chain attacks."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "All installations of Bruno prior to version 3.2.1 that were built using npm between 00:21 and 03:30 UTC on March\u202f31\u202f2026 are potentially compromised. Users of @usebruno/cli who executed npm install during that narrow window may have inadvertently added the malicious Axios package. The issue affects the Bruno IDE (usebruno bruno) and any projects that depend on the vulnerable Axios dependency. No other vendors or products are listed as impacted.", "description_and_impact": "Bruno is a popular open\u2011source IDE for API testing. A compromised version of the widely used Axios library was injected with a hidden dependency that deployed a cross\u2011platform Remote Access Trojan. The backdoor allows an attacker to gain remote code execution, enabling full control over the affected system and posing a threat to confidentiality, integrity and availability. This vulnerability is characterized by CWE\u2011494 (Download of Untrusted Code) and CWE\u2011506 (Embedded Obfuscated Data).", "risk_and_exploitability": "The CVSS base score is 9.8, indicating critical severity, although the EPSS score is not available. The vulnerability is not currently listed in the CISA KEV catalog, but the nature of the supply\u2011chain compromise suggests that exploitation could have already occurred, especially given the global use of Axios. Attackers would need to execute npm install of the poisoned package, which is a common workflow for developers. The window of exposure is limited to a few hours, yet any affected installation remains vulnerable until the library is updated. Immediate remediation is essential for any organization that still uses a compromised version."}}}}, "created": "2026-04-06T20:13:48.508682+00:00", "updated": "2026-04-06T21:31:43.839427+00:00", "vendors": ["usebruno", "usebruno$PRODUCT$bruno"]}