CVE-2026-34841
Published: 06 April 2026
Summary
CVE-2026-34841 is a critical-severity Download of Code Without Integrity Check (CWE-494) vulnerability in Usebruno Bruno. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Compromise Software Dependencies and Development Tools (T1195.001); ranked at the 8.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Other AI Platforms; in the Supply Chain and Deployment risk domain.
The strongest mitigations our analysis identified are NIST 800-53 CM-14 (Signed Components) and SA-12 (Supply Chain Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires verification of component authenticity for npm packages like the compromised axios, preventing installation of versions with hidden RAT dependencies.
Mandates protections against supply chain risks, directly addressing compromises in third-party open-source dependencies such as axios.
Enforces digital signing of software components, ensuring npm packages are verified for tampering before installation and RAT deployment.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a supply chain compromise where a malicious version of the axios dependency was used to deploy a RAT via npm install, directly mapping to compromise of software dependencies and development tools.
NVD Description
Bruno is an open source IDE for exploring and testing APIs. Prior to 3.2.1, Bruno was affected by a supply chain attack involving compromised versions of the axios npm package, which introduced a hidden dependency deploying a cross-platform Remote Access…
more
Trojan (RAT). Users of @usebruno/cli who ran npm install between 00:21 UTC and ~03:30 UTC on March 31, 2026 may have been impacted. Upgrade to 3.2.1
Deeper analysisAI
CVE-2026-34841 is a supply chain vulnerability affecting Bruno, an open source IDE for exploring and testing APIs, in versions prior to 3.2.1. The issue arises from compromised versions of the axios npm package, which introduced a hidden dependency that deploys a cross-platform Remote Access Trojan (RAT). It specifically impacts users of the @usebruno/cli package who ran npm install between 00:21 UTC and approximately 03:30 UTC on March 31, 2026. The vulnerability is rated critical with a CVSS v3.1 score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-494 and CWE-506.
Any user executing the affected npm install command during the specified time window on March 31, 2026, could unwittingly deploy the RAT, with no privileges, authentication, or additional user interaction required. Attackers leveraging this supply chain compromise achieve high-impact remote access, enabling full compromise of confidentiality, integrity, and availability on the victim's system across platforms.
Advisories and patches, detailed in GitHub issues such as axios#10604 and Bruno pull request #7632, along with Bruno's security advisory GHSA-658g-p7jg-wx5g, recommend immediate upgrade to Bruno version 3.2.1 to remove the compromised dependency and prevent RAT deployment. Additional analysis is available from Aikido.dev.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- Other AI Platforms
- Risk Domain
- Supply Chain and Deployment
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: trojan