Bruno IDE Supply Chain Attack via Compromised Axios Package Introduces Remote Access Trojan

A supply chain attack has been identified in Bruno, an open-source IDE for API exploration and testing. This attack involved compromised versions of the axios npm package, specifically axios@1.14.1 and axios@0.30.4, which were published by a hijacked maintainer account. These versions introduced a hidden dependency that deployed a cross-platform Remote Access Trojan (RAT) targeting macOS, Windows, and Linux. Users of @usebruno/cli who installed the package during the attack window on March 31, 2026, may have been affected. The malicious axios versions have been removed from npm, and Bruno has pinned axios to a safe version in the latest release.

Impact

The vulnerability allowed the execution of a malicious postinstall script from the compromised axios package, which installed a Remote Access Trojan (RAT) on the user's system. The RAT exfiltrated credentials and sensitive data, and the malware self-destructed after execution, leaving no trace in the node_modules directory.

Remediation

Users of @usebruno/cli who installed axios during the attack window should reinstall dependencies, remove the plain-crypto-js package, and rotate all credentials and secrets. For detailed guidance, refer to the Aikido blog post on this incident.