CVE-2026-34841
Supply Chain RAT via Compromised Axios in Bruno CLI
Publication date: 2026-04-06
Last updated on: 2026-04-22
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| usebruno | bruno | to 3.2.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-506 | The product contains code that appears to be malicious in nature. |
| CWE-494 | The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-34841 is a supply chain attack targeting the popular npm package axios. The attacker hijacked the npm account of the lead axios maintainer and published malicious versions (1.14.1 and 0.30.4) that introduced a hidden dependency called [email protected]. This dependency contained a postinstall hook that deployed a cross-platform Remote Access Trojan (RAT) on affected systems.
The RAT targeted macOS, Windows, and Linux by downloading platform-specific payloads that executed stealthily and self-destructed after installation, making detection difficult. The malicious versions were published manually using a stolen npm token, bypassing normal release processes, and existed for less than 24 hours before being pulled.
Users of the Bruno IDE's @usebruno/cli who ran npm install during the attack window (March 31, 2026, 00:21 UTC to ~03:30 UTC) may have been impacted.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized remote access to your system through the deployed Remote Access Trojan (RAT). The RAT can execute arbitrary commands, potentially leading to full system compromise.
- Compromise of sensitive data and credentials stored on the affected system.
- Potential lateral movement within your network if the compromised system has network access.
- Stealthy infection that self-destructs after execution, making detection and remediation difficult without full system rebuild.
- Disruption of development workflows if the compromised package is part of your software supply chain.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of malicious axios versions and related artifacts on your system.
- Manually check for malicious axios versions 1.14.1 or 0.30.4 using npm commands such as `npm list axios` or inspecting your `package-lock.json` file.
- Check for the presence of the `plain-crypto-js` directory in your `node_modules` folder, which indicates the dropper ran.
- Search for RAT artifacts on disk depending on your operating system:
- - macOS: Check for the binary at `/Library/Caches/com.apple.act.mond`
- - Windows: Look for `%PROGRAMDATA%\wt.exe` (a copied PowerShell interpreter) and hidden VBScript execution
- - Linux: Look for the Python script at `/tmp/ld.py`
Because the malware self-destructs and cleans up evidence, inspecting system log files and using specialized tools like the free Aikido platform's Malware Monitor can help detect the compromise by flagging [email protected], [email protected], or [email protected].
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading and pinning dependencies, removing malicious packages, and securing your environment.
- Upgrade axios to a safe version, such as 1.14.0 for 1.x users or 0.30.3 for 0.x users, and pin axios to a fixed version (e.g., 1.13.6) in your `package.json` and root-level overrides to prevent malicious updates.
- Remove the `plain-crypto-js` package from `node_modules` and reinstall dependencies using `npm install --ignore-scripts` to avoid running malicious postinstall hooks.
- If RAT artifacts are found on your system, do not attempt in-place cleaning; instead, rebuild the system from a known-good state.
- Rotate all credentials accessible on the compromised system, including npm tokens, AWS keys, SSH keys, CI/CD secrets, and environment variables.
- Audit CI/CD pipeline logs for installations of the affected axios versions and enforce running `npm ci --ignore-scripts` in CI/CD pipelines as a preventive measure.
Additionally, consider enforcing a minimum package release age (e.g., 30 days) to avoid installing newly published malicious packages.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The CVE-2026-34841 vulnerability involves a supply chain attack that introduced a remote access trojan (RAT) through compromised versions of the axios npm package. This RAT could lead to unauthorized access and control over affected systems, potentially resulting in data breaches or unauthorized data exposure.
Such unauthorized access and potential data compromise can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over personal and sensitive data to prevent breaches and unauthorized access.
Organizations using affected versions of axios or the Bruno IDE prior to version 3.2.1 may face increased risk of non-compliance due to the possibility of data exposure or system compromise caused by the RAT.
Mitigation steps such as upgrading to safe versions, removing malicious dependencies, rotating credentials, and auditing CI/CD pipelines are critical to restoring compliance and reducing risk.