Publish GHSA-658g-p7jg-wx5g

advisory-database[bot] · advisory-database[bot] · commit b56ee43ccf39 · 2026-04-02T18:36:30.000Z
diff --git a/advisories/github-reviewed/2026/04/GHSA-658g-p7jg-wx5g/GHSA-658g-p7jg-wx5g.json b/advisories/github-reviewed/2026/04/GHSA-658g-p7jg-wx5g/GHSA-658g-p7jg-wx5g.json
@@ -0,0 +1,78 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-658g-p7jg-wx5g",
+  "modified": "2026-04-02T18:34:04Z",
+  "published": "2026-04-02T18:34:04Z",
+  "aliases": [
+    "CVE-2026-34841"
+  ],
+  "summary": "Axios npm Supply Chain Incident Impacting @usebruno/cli",
+  "details": "### **Impact**\n\nThis is a **supply chain attack** involving compromised versions of the `axios` npm package, which introduced a hidden dependency deploying a cross-platform Remote Access Trojan (RAT).\n\nUsers of **@usebruno/cli** who ran `npm install` between **00:21 UTC and ~03:30 UTC on March 31, 2026** may have been impacted.\n\nPotential impact includes:\n\n* Execution of a malicious `postinstall` script\n* Remote Access Trojan (RAT) installation\n* Exfiltration of credentials and sensitive data\n\n**Not impacted:**\n\n* Bruno desktop app users\n* Users who installed outside the attack window\n\n\n### **Patches**\n\nThe compromised `axios` versions (`1.14.1`, `0.30.4`) have been **removed from npm**, and new installations will now resolve to safe versions.\n\nAdditionally, Bruno has taken further hardening steps:\n\n* Pinned `axios` to a known safe version to prevent accidental resolution to malicious releases\n* Fix implemented in: [https://github.com/usebruno/bruno/pull/7632](https://github.com/usebruno/bruno/pull/7632)\n\n\n### **Recommendation**\n\nIf users installed **@usebruno/cli** during the affected window:\n1. Reinstall dependencies\n2. Rotate all credentials and secrets:\n\nFor additional guidance on securing your system, refer to this article:\nhttps://www.aikido.dev/blog/axios-npm-compromised-maintainer-hijacked-rat",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "@usebruno/cli"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "3.2.1"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "< 3.2.0"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/usebruno/bruno/security/advisories/GHSA-658g-p7jg-wx5g"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/axios/axios/issues/10604"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/usebruno/bruno/pull/7632"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/advisories/GHSA-fw8c-xr5c-95f9"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/usebruno/bruno"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.aikido.dev/blog/axios-npm-compromised-maintainer-hijacked-rat"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-1395",
+      "CWE-494",
+      "CWE-506"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-02T18:34:04Z",
+    "nvd_published_at": null
+  }
+}
