PT-2026-29908 — @Usebruno/Cli

PT-2026-29908 · Npm · @Usebruno/Cli

Published

2026-04-02

Updated

2026-04-02

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Impact

This is a supply chain attack involving compromised versions of the axios npm package, which introduced a hidden dependency deploying a cross-platform Remote Access Trojan (RAT).

Users of @usebruno/cli who ran npm install between 00:21 UTC and ~03:30 UTC on March 31, 2026 may have been impacted.

Potential impact includes:

Execution of a malicious postinstall script
Remote Access Trojan (RAT) installation
Exfiltration of credentials and sensitive data

Not impacted:

Bruno desktop app users
Users who installed outside the attack window

Patches

The compromised axios versions (1.14.1, 0.30.4) have been removed from npm, and new installations will now resolve to safe versions.

Additionally, Bruno has taken further hardening steps:

Pinned axios to a known safe version to prevent accidental resolution to malicious releases
Fix implemented in: https://github.com/usebruno/bruno/pull/7632

Recommendation

If users installed @usebruno/cli during the affected window:

Reinstall dependencies
Rotate all credentials and secrets:

For additional guidance on securing your system, refer to this article: https://www.aikido.dev/blog/axios-npm-compromised-maintainer-hijacked-rat

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-506CWE-1395CWE-494

Related Identifiers

GHSA-658G-P7JG-WX5G

Affected Products