CRITICAL🇵🇱 Wersja polska

CVE-2026-34841

CVSS 9.8v3.1pub. 2026-04-06upd. 2026-04-22

Bruno is an open source IDE for exploring and testing APIs. Prior to 3.2.1, Bruno was affected by a supply chain attack involving compromised versions of the axios npm package, which introduced a hidden dependency deploying a cross-platform Remote Access Trojan (RAT). Users of @usebruno/cli who ran npm install between 00:21 UTC and ~03:30 UTC on March 31, 2026 may have been impacted. Upgrade to 3.2.1

🤖 AI Analysis
How it works

The attackers took control of the axios package in the npm registry and published a compromised version containing a hidden dependency (CWE-506: Embedded Malicious Code). This package downloaded and installed a cross-platform Remote Access Trojan (RAT) on the victim's system without their knowledge (CWE-494: Download of Code Without Integrity Check). Users who installed @usebruno/cli between 00:21 UTC and approximately 03:30 UTC on March 31, 2026, could have downloaded the infected version of the dependency.

Impact

The attacker could gain full remote access to the victim's system through the installed RAT, which means the possibility of data theft, machine control takeover, and further lateral movement within the organization's network.

Mitigation & patch

Bruno should be updated immediately to version 3.2.1 or later. If the package installation occurred within the 00:21–03:30 UTC window on March 31, 2026, it is recommended to consider the system potentially compromised: perform an audit of active processes and network connections, rotate stored credentials, and consider reinstalling the operating system.

Who is affected

@usebruno/cli package versions prior to 3.2.1, installed using npm install within the time window 00:21–03:30 UTC on March 31, 2026

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Usebruno Bruno

    APP
    Usebruno
    < 3.2.1
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2025-30210HIGH8.7ten sam produkt

Bruno is an open source IDE for exploring and testing APIs. Prior to 1.39.1, the custom tool-tip components wh...

CVE-2025-30354HIGH8.7ten sam produkt

Bruno is an open source IDE for exploring and testing APIs. A bug in the assertion runtime caused assert expre...

CVE-2024-48463MEDIUM6.5ten sam produkt

Bruno before 1.29.1 uses Electron shell.openExternal without validation (of http or https) for opening windows...