CVE-2026-34841 Overview
Bruno is an open source IDE for exploring and testing APIs. Prior to version 3.2.1, Bruno was affected by a supply chain attack involving compromised versions of the axios npm package, which introduced a hidden dependency deploying a cross-platform Remote Access Trojan (RAT). Users of @usebruno/cli who ran npm install between 00:21 UTC and ~03:30 UTC on March 31, 2026 may have been impacted by this malicious payload.
Critical Impact
This supply chain compromise deployed a cross-platform RAT through a trusted npm dependency, potentially granting attackers full remote access to affected developer systems during the vulnerable installation window.
Affected Products
- Bruno API IDE versions prior to 3.2.1
- @usebruno/cli npm package (installations between 00:21 UTC and ~03:30 UTC on March 31, 2026)
- Systems that installed compromised axios npm package versions during the attack window
Discovery Timeline
- 2026-04-06 - CVE CVE-2026-34841 published to NVD
- 2026-04-07 - Last updated in NVD database
Technical Details for CVE-2026-34841
Vulnerability Analysis
This vulnerability represents a software supply chain attack (CWE-494: Download of Code Without Integrity Check) where the widely-used axios npm package was compromised by an attacker who gained control of a maintainer account. The compromised package introduced a hidden dependency that deployed a cross-platform Remote Access Trojan (RAT) to affected systems.
The attack was particularly dangerous because it targeted developer machines through a trusted dependency chain. When users of @usebruno/cli executed npm install during the attack window, the malicious code was automatically downloaded and executed as part of the normal installation process. This supply chain vector bypasses traditional security controls that focus on application-level threats.
Root Cause
The root cause of this vulnerability lies in the compromise of a maintainer's account for the axios npm package. This allowed the attacker to publish malicious versions containing a hidden dependency that deployed a RAT. The attack exploited the inherent trust model of package managers where dependencies are automatically fetched and executed without integrity verification against known-good states.
Attack Vector
The attack vector leveraged the npm package ecosystem's automatic dependency resolution. When developers installed or updated Bruno's CLI tool during the attack window, npm would fetch the compromised axios package. The malicious payload was designed to be cross-platform, meaning it could affect Windows, macOS, and Linux development environments. Once executed during the installation process, the RAT established persistent remote access capabilities, potentially allowing attackers to:
- Exfiltrate sensitive source code and credentials
- Monitor developer activity
- Pivot to internal networks
- Inject malicious code into projects under development
For detailed technical analysis of the compromise mechanism, refer to the GitHub Security Advisory GHSA-658g and the Aikido Blog Post on NPM Compromise.
Detection Methods for CVE-2026-34841
Indicators of Compromise
- Presence of unexpected network connections from Node.js processes to unknown external endpoints
- Unusual child processes spawned during or after npm install operations
- Modified or new files in system directories created during the attack window (March 31, 2026, 00:21-03:30 UTC)
- Unexpected persistence mechanisms (startup scripts, scheduled tasks, launch agents)
Detection Strategies
- Review package-lock.json and node_modules for axios versions installed during the attack timeframe
- Audit npm installation logs from March 31, 2026 for suspicious post-install scripts
- Search for network connections to command-and-control infrastructure identified in threat intelligence feeds
- Compare file hashes of installed axios packages against known-good versions
Monitoring Recommendations
- Implement Software Composition Analysis (SCA) tools to detect compromised dependencies
- Enable npm audit and integrate it into CI/CD pipelines
- Monitor for anomalous outbound network traffic from development environments
- Deploy endpoint detection and response (EDR) solutions like SentinelOne on developer workstations
How to Mitigate CVE-2026-34841
Immediate Actions Required
- Upgrade Bruno to version 3.2.1 or later immediately
- If npm install was executed during the attack window (March 31, 2026, 00:21-03:30 UTC), assume compromise and perform forensic analysis
- Remove and reinstall node_modules with current, clean package versions
- Rotate all credentials that may have been accessible from affected development machines
Patch Information
The Bruno development team has released version 3.2.1 which removes the dependency on the compromised axios package versions. Users should update immediately by running npm update @usebruno/cli or reinstalling the package. The fix was implemented through GitHub Pull Request #7632. Additional context about the axios package compromise can be found in the GitHub Issue Discussion.
Workarounds
- Delete existing node_modules folder and package-lock.json, then perform a fresh installation with verified clean packages
- Use npm's --ignore-scripts flag during installation to prevent post-install script execution while investigating
- Implement package pinning and lockfile verification in development workflows
- Consider using a private npm registry or artifact repository that caches verified package versions
# Remediation steps for affected systems
rm -rf node_modules package-lock.json
npm cache clean --force
npm install @usebruno/cli@3.2.1
npm audit
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
