Bruno is a popular open‑source IDE for API testing. A compromised version of the widely used Axios library was injected with a hidden dependency that deployed a cross‑platform Remote Access Trojan. The backdoor allows an attacker to gain remote code execution, enabling full control over the affected system and posing a threat to confidentiality, integrity and availability. This vulnerability is characterized by CWE‑494 (Download of Untrusted Code) and CWE‑506 (Embedded Obfuscated Data).

All installations of Bruno prior to version 3.2.1 that were built using npm between 00:21 and 03:30 UTC on March 31 2026 are potentially compromised. Users of @usebruno/cli who executed npm install during that narrow window may have inadvertently added the malicious Axios package. The issue affects the Bruno IDE (usebruno bruno) and any projects that depend on the vulnerable Axios dependency. No other vendors or products are listed as impacted.

The CVSS base score is 9.8, indicating critical severity, although the EPSS score is not available. The vulnerability is not currently listed in the CISA KEV catalog, but the nature of the supply‑chain compromise suggests that exploitation could have already occurred, especially given the global use of Axios. Attackers would need to execute npm install of the poisoned package, which is a common workflow for developers. The window of exposure is limited to a few hours, yet any affected installation remains vulnerable until the library is updated. Immediate remediation is essential for any organization that still uses a compromised version.