GHSA-658g-p7jg-wx5g
Suggest an improvement- Source
- https://github.com/advisories/GHSA-658g-p7jg-wx5g
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-658g-p7jg-wx5g/GHSA-658g-p7jg-wx5g.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-658g-p7jg-wx5g
- Aliases
-
- CVE-2026-34841
- Published
- 2026-04-02T18:34:04Z
- Modified
- 2026-04-06T23:49:31.823224Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Axios npm Supply Chain Incident Impacting @usebruno/cli
- Details
-
Impact
This is a supply chain attack involving compromised versions of the
axiosnpm package, which introduced a hidden dependency deploying a cross-platform Remote Access Trojan (RAT).Users of @usebruno/cli who ran
npm installbetween 00:21 UTC and ~03:30 UTC on March 31, 2026 may have been impacted.Potential impact includes:
- Execution of a malicious
postinstallscript - Remote Access Trojan (RAT) installation
- Exfiltration of credentials and sensitive data
Not impacted:
- Bruno desktop app users
- Users who installed outside the attack window
Patches
The compromised
axiosversions (1.14.1,0.30.4) have been removed from npm, and new installations will now resolve to safe versions.Additionally, Bruno has taken further hardening steps:
- Pinned
axiosto a known safe version to prevent accidental resolution to malicious releases - Fix implemented in: https://github.com/usebruno/bruno/pull/7632
Recommendation
If users installed @usebruno/cli during the affected window: 1. Reinstall dependencies 2. Rotate all credentials and secrets:
For additional guidance on securing your system, refer to this article: https://www.aikido.dev/blog/axios-npm-compromised-maintainer-hijacked-rat
- Execution of a malicious
- Database specific
{ "severity": "CRITICAL", "cwe_ids": [ "CWE-1395", "CWE-494", "CWE-506" ], "github_reviewed": true, "github_reviewed_at": "2026-04-02T18:34:04Z", "nvd_published_at": "2026-04-06T17:17:10Z" }- References
-
- https://github.com/usebruno/bruno/security/advisories/GHSA-658g-p7jg-wx5g
- https://nvd.nist.gov/vuln/detail/CVE-2026-34841
- https://github.com/axios/axios/issues/10604
- https://github.com/usebruno/bruno/pull/7632
- https://github.com/advisories/GHSA-fw8c-xr5c-95f9
- https://github.com/usebruno/bruno
- https://www.aikido.dev/blog/axios-npm-compromised-maintainer-hijacked-rat
Affected packages
npm / @usebruno/cli
Package
- Name
- @usebruno/cli
- View open source insights on deps.dev
- Purl
- pkg:npm/%40usebruno/cli