CVE-2026-34841

| EUVD-2026-19354 CRITICAL
2026-04-02 https://github.com/usebruno/bruno GHSA-658g-p7jg-wx5g
9.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Apr 02, 2026 - 19:01 vuln.today
EUVD ID Assigned
Apr 02, 2026 - 19:01 euvd
EUVD-2026-19354
Patch Released
Apr 02, 2026 - 19:01 nvd
Patch available
CVE Published
Apr 02, 2026 - 18:34 nvd
CRITICAL 9.8

Tags

Node.js Information Disclosure

Description

### **Impact** This is a **supply chain attack** involving compromised versions of the `axios` npm package, which introduced a hidden dependency deploying a cross-platform Remote Access Trojan (RAT). Users of **@usebruno/cli** who ran `npm install` between **00:21 UTC and ~03:30 UTC on March 31, 2026** may have been impacted. Potential impact includes: * Execution of a malicious `postinstall` script * Remote Access Trojan (RAT) installation * Exfiltration of credentials and sensitive data **Not impacted:** * Bruno desktop app users * Users who installed outside the attack window ### **Patches** The compromised `axios` versions (`1.14.1`, `0.30.4`) have been **removed from npm**, and new installations will now resolve to safe versions. Additionally, Bruno has taken further hardening steps: * Pinned `axios` to a known safe version to prevent accidental resolution to malicious releases * Fix implemented in: [https://github.com/usebruno/bruno/pull/7632](https://github.com/usebruno/bruno/pull/7632) ### **Recommendation** If users installed **@usebruno/cli** during the affected window: 1. Reinstall dependencies 2. Rotate all credentials and secrets: For additional guidance on securing your system, refer to this article: https://www.aikido.dev/blog/axios-npm-compromised-maintainer-hijacked-rat

Analysis

Supply chain compromise of @usebruno/cli (Bruno API testing tool) deployed a cross-platform Remote Access Trojan via malicious axios dependency versions 1.14.1 and 0.30.4 on npm during a 3-hour window (00:21-03:30 UTC, March 31, 2026). Unauthenticated remote attackers gained full system compromise including credential exfiltration and persistent RAT installation on affected developer workstations. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Remediation

24 hours: Identify all developer workstations with @usebruno/cli installed; assume all systems in scope are compromised and isolate from sensitive networks pending forensics. Initiate mandatory credential rotation for all users who worked on affected systems during the attack window (00:21-03:30 UTC March 31, 2026). …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Priority Score

49
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +49
POC: 0

Share

CVE-2026-34841 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy