CVE-2026-34841

Bruno is an open source IDE for exploring and testing APIs. Prior to 3.2.1, Bruno was affected by a supply chain attack involving compromised versions of the axios npm package, which introduced a hidden dependency deploying a cross-platform Remote Access Trojan (RAT). Users of @usebruno/cli who ran npm install between 00:21 UTC and ~03:30 UTC on March 31, 2026 may have been impacted. Upgrade to 3.2.1

Bruno is an open source IDE for exploring and testing APIs. Prior to 3.2.1, Bruno was affected by a supply chain attack involving compromised versions of the axios npm package, which introduced a hidden dependency deploying a cross-platform Remote Access Trojan (RAT). Users of @usebruno/cli who ran npm install between 00:21 UTC and ~03:30 UTC on March 31, 2026 may have been impacted. Upgrade to 3.2.1

### **Impact** This is a **supply chain attack** involving compromised versions of the `axios` npm package, which introduced a hidden dependency deploying a cross-platform Remote Access Trojan (RAT). Users of **@usebruno/cli** who ran `npm install` between **00:21 UTC and ~03:30 UTC on March 31, 2026** may have been impacted. Potential impact includes: * Execution of a malicious `postinstall` script * Remote Access Trojan (RAT) installation * Exfiltration of credentials and sensitive data **Not impacted:** * Bruno desktop app users * Users who installed outside the attack window ### **Patches** The compromised `axios` versions (`1.14.1`, `0.30.4`) have been **removed from npm**, and new installations will now resolve to safe versions. Additionally, Bruno has taken further hardening steps: * Pinned `axios` to a known safe version to prevent accidental resolution to malicious releases * Fix implemented in: [https://github.com/usebruno/bruno/pull/7632](https://github.com/usebruno/bruno/pull/7632) ### **Recommendation** If users installed **@usebruno/cli** during the affected window: 1. Reinstall dependencies 2. Rotate all credentials and secrets: For additional guidance on securing your system, refer to this article: https://www.aikido.dev/blog/axios-npm-compromised-maintainer-hijacked-rat

### **Impact** This is a **supply chain attack** involving compromised versions of the `axios` npm package, which introduced a hidden dependency deploying a cross-platform Remote Access Trojan (RAT). Users of **@usebruno/cli** who ran `npm install` between **00:21 UTC and ~03:30 UTC on March 31, 2026** may have been impacted. Potential impact includes: * Execution of a malicious `postinstall` script * Remote Access Trojan (RAT) installation * Exfiltration of credentials and sensitive data **Not impacted:** * Bruno desktop app users * Users who installed outside the attack window ### **Patches** The compromised `axios` versions (`1.14.1`, `0.30.4`) have been **removed from npm**, and new installations will now resolve to safe versions. Additionally, Bruno has taken further hardening steps: * Pinned `axios` to a known safe version to prevent accidental resolution to malicious releases * Fix implemented in: [https://github.com/usebruno/bruno/pull/7632](https://github.com/usebruno/bruno/pull/7632) ### **Recommendation** If users installed **@usebruno/cli** during the affected window: 1. Reinstall dependencies 2. Rotate all credentials and secrets: For additional guidance on securing your system, refer to this article: https://www.aikido.dev/blog/axios-npm-compromised-maintainer-hijacked-rat