Bruno is an open source IDE for exploring and testing APIs. Prior to 3.2.1, Bruno was affected by a supply chain attack involving compromised versions of the axios npm package, which introduced a hidden dependency deploying a cross-platform Remote Access Trojan (RAT). Users of @usebruno/cli who ran npm install between 00:21 UTC and ~03:30 UTC on March 31, 2026 may have been impacted. Upgrade to 3.2.1
The attackers took control of the axios package in the npm registry and published a compromised version containing a hidden dependency (CWE-506: Embedded Malicious Code). This package downloaded and installed a cross-platform Remote Access Trojan (RAT) on the victim's system without their knowledge (CWE-494: Download of Code Without Integrity Check). Users who installed @usebruno/cli between 00:21 UTC and approximately 03:30 UTC on March 31, 2026, could have downloaded the infected version of the dependency.
The attacker could gain full remote access to the victim's system through the installed RAT, which means the possibility of data theft, machine control takeover, and further lateral movement within the organization's network.
Bruno should be updated immediately to version 3.2.1 or later. If the package installation occurred within the 00:21–03:30 UTC window on March 31, 2026, it is recommended to consider the system potentially compromised: perform an audit of active processes and network connections, rotate stored credentials, and consider reinstalling the operating system.
@usebruno/cli package versions prior to 3.2.1, installed using npm install within the time window 00:21–03:30 UTC on March 31, 2026
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HUsebruno Bruno
APPUsebruno< 3.2.1
Related vulnerabilities
Bruno is an open source IDE for exploring and testing APIs. Prior to 1.39.1, the custom tool-tip components wh...
Bruno is an open source IDE for exploring and testing APIs. A bug in the assertion runtime caused assert expre...
Bruno before 1.29.1 uses Electron shell.openExternal without validation (of http or https) for opening windows...