Nixpkgs security tracker
Untriaged
Permalink
CVE-2026-34841
9.8 CRITICAL
- CVSS version (CVSS): 3.1
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): None (N)
- User Interaction (UI): None (N)
- Scope (S): Unchanged (U)
- Confidentiality (C): High (H)
- Integrity (I): High (H)
- Availability (A): High (H)
- Modified Attack Vector (MAV): Network (N)
- Modified Attack Complexity (MAC): Low (L)
- Modified Privileges Required (MPR): None (N)
- Modified User Interaction (MUI): None (N)
- Modified Confidentiality (MC): High (H)
- Modified Scope (MS): Unchanged (U)
- Modified Integrity (MI): High (H)
- Modified Availability (MA): High (H)
Activity log
- Created suggestion
Axios npm Supply Chain Incident Impacting @usebruno/cli
Bruno is an open source IDE for exploring and testing APIs. Prior to 3.2.1, Bruno was affected by a supply chain attack involving compromised versions of the axios npm package, which introduced a hidden dependency deploying a cross-platform Remote Access Trojan (RAT). Users of @usebruno/cli who ran npm install between 00:21 UTC and ~03:30 UTC on March 31, 2026 may have been impacted. Upgrade to 3.2.1
References
-
https://github.com/usebruno/bruno/security/advisories/GHSA-658g-p7jg-wx5g x_refsource_CONFIRM
-
https://github.com/axios/axios/issues/10604 x_refsource_MISC
-
https://github.com/usebruno/bruno/pull/7632 x_refsource_MISC
Affected products
bruno
- ==< 3.2.1
Matching in nixpkgs
pkgs.bruno
Open-source IDE For exploring and testing APIs
Package maintainers
-
@gepbird Gutyina Gergő <gutyina.gergo.2@gmail.com>
-
@lucasew Lucas Eduardo Wendt <lucas59356@gmail.com>
-
@mattpolzin Matt Polzin <matt.polzin@gmail.com>
-
@water-sucks Varun Narravula <varun@snare.dev>
-
@redyf Mateus Alves <mateusalvespereira7@gmail.com>
-
@kashw2 Keanu Ashwell <supra4keanu@hotmail.com>