What is the severity of CVE-2026-34841?

CVE-2026-34841 has a CVSS v3 score of 0, which is classified as Low severity.

Is there an exploit available for CVE-2026-34841?

No known public exploits are currently available for CVE-2026-34841.

Is there a patch available for CVE-2026-34841?

Yes, patches are available for CVE-2026-34841. Check the vendor advisories for update instructions.

CVE-2026-34841 - CVE Details, Severity, and Analysis

Q: What is CVE-2026-34841?

### **Impact** This is a **supply chain attack** involving compromised versions of the `axios` npm package, which introduced a hidden dependency deploying a cross-platform Remote Access Trojan (RAT). Users of **@usebruno/cli** who ran `npm install` between **00:21 UTC and ~03:30 UTC on March 31, 2026** may have been impacted. Potential impact includes: * Execution of a malicious `postinstall` script * Remote Access Trojan (RAT) installation * Exfiltration of credentials and sensitive data **Not impacted:** * Bruno desktop app users * Users who installed outside the attack window ### **Patches** The compromised `axios` versions (`1.14.1`, `0.30.4`) have been **removed from npm**, and new installations will now resolve to safe versions. Additionally, Bruno has taken further hardening steps: * Pinned `axios` to a known safe version to prevent accidental resolution to malicious releases * Fix implemented in: [https://github.com/usebruno/bruno/pull/7632](https://github.com/usebruno/bruno/pull/7632) ### **Recommendation** If users installed **@usebruno/cli** during the affected window: 1. Reinstall dependencies 2. Rotate all credentials and secrets: For additional guidance on securing your system, refer to this article: https://www.aikido.dev/blog/axios-npm-compromised-maintainer-hijacked-rat

Severity Scores

CVSS v30.0

CVSS v20.0

Priority Score0.0

EPSS Score0.0

None

Exploitation LikelihoodMinimal

0.00%EPSS

Very low probability of exploitation

Monitor and patch as resources allow

0.00%

EPSS

0.0

CVSS

No

Exploit

Yes

Patch

Low Priority

no major risk factors

EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.

Description

Impact

This is a supply chain attack involving compromised versions of the axios npm package, which introduced a hidden dependency deploying a cross-platform Remote Access Trojan (RAT).

Users of @usebruno/cli who ran npm install between 00:21 UTC and ~03:30 UTC on March 31, 2026 may have been impacted.

Potential impact includes:

Execution of a malicious postinstall script
Remote Access Trojan (RAT) installation
Exfiltration of credentials and sensitive data

Not impacted:

Bruno desktop app users
Users who installed outside the attack window

Patches

The compromised axios versions (1.14.1, 0.30.4) have been removed from npm, and new installations will now resolve to safe versions.

Additionally, Bruno has taken further hardening steps:

Pinned axios to a known safe version to prevent accidental resolution to malicious releases
Fix implemented in: https://github.com/usebruno/bruno/pull/7632

Recommendation

If users installed @usebruno/cli during the affected window:

Reinstall dependencies
Rotate all credentials and secrets:

For additional guidance on securing your system, refer to this article: https://www.aikido.dev/blog/axios-npm-compromised-maintainer-hijacked-rat

CVSS v3 Breakdown

Attack Vector:-

Attack Complexity:-

Privileges Required:-

User Interaction:-

Scope:-

Confidentiality:-

Integrity:-

Availability:-

Ready for Agentic Automated Testing?

CVE-2026-34841

Impact

Patches

Recommendation

Threat Intelligence