CVE-2026-34841

Name of the Vulnerable Software and Affected Versions @usebruno/cli versions installed between 00:21 UTC and ~03:30 UTC on March 31, 2026

Description A supply chain attack involving compromised versions of the axios npm package introduced a hidden dependency deploying a cross-platform Remote Access Trojan (RAT). Users of @usebruno/cli who ran npm install during the affected time window may have been impacted, potentially leading to the execution of a malicious postinstall script, RAT installation, and exfiltration of credentials and sensitive data. Bruno desktop app users and those who installed outside the attack window were not impacted. The compromised axios versions (1.14.1, 0.30.4) have been removed from npm.

Recommendations If you installed @usebruno/cli during the affected window, reinstall dependencies. Rotate all credentials and secrets.