Scanner gratuitement
CRITICALCVE-2026-34841CVSS 9.8

Axios npm Supply Chain Incident Impacting @usebruno/cli

traduction en cours…

Plateforme

nodejs

Composant

axios

Corrigé dans

3.2.2

AI Confidence: highNVDEPSS 0.0%Révisé: mai 2026
Voir sur NVD
Sauvegarder
Traduction vers votre langue…

CVE-2026-34841 represents a critical supply chain attack affecting Axios, a popular JavaScript library for making HTTP requests. This vulnerability involves compromised versions of the Axios npm package, which introduced a hidden dependency responsible for deploying a cross-platform Remote Access Trojan (RAT). The issue impacts Axios versions from 0.0.0 up to, but not including, 3.2.1, and primarily affected users who installed the package during a specific timeframe on March 31, 2026.

Impact et Scénarios d'Attaquetraduction en cours…

The primary impact of CVE-2026-34841 is the potential for unauthorized remote access and control over affected systems. The RAT deployed through the compromised Axios package allows an attacker to execute arbitrary commands, steal sensitive data (including API keys, credentials, and source code), and potentially establish persistent backdoors. The attack vector is particularly concerning because it leverages the trust inherent in the npm package ecosystem, making it difficult for developers to detect malicious code. This attack mirrors the complexity seen in other supply chain attacks, highlighting the need for robust dependency management and security scanning practices. The blast radius extends to any application relying on the compromised Axios versions, potentially impacting a wide range of services and data.

Contexte d'Exploitationtraduction en cours…

This vulnerability was publicly disclosed on April 6, 2026. The short timeframe between the compromise and the disclosure suggests a rapid response from security researchers. While no confirmed exploitation reports are publicly available as of this writing, the presence of a RAT significantly increases the likelihood of active exploitation. The incident has been added to the CISA KEV catalog, indicating a high probability of exploitation. Public proof-of-concept code is expected to emerge, further increasing the risk.

Qui Est à Risquetraduction en cours…

Developers and organizations using Axios in their Node.js applications are at risk, particularly those who rely on npm for package management. Shared hosting environments and applications with automated dependency updates are especially vulnerable, as they may have been automatically updated with the compromised package. Projects using older versions of Axios or those with lax dependency management practices are also at higher risk.

Étapes de Détectiontraduction en cours…

• nodejs / supply-chain:

Get-Process | Where-Object {$_.ProcessName -match 'node'}

• nodejs / supply-chain:

Get-ChildItem -Path Env:PATH -Recurse -Filter 'node_modules'

• nodejs / supply-chain:

npm ls axios --depth=0

• generic web: Check for unusual network connections originating from Node.js processes using netstat -ano | findstr :<suspicious_port>.

Chronologie de l'Attaque

  1. Discovery

    Compromise Window

  2. Disclosure

    Public Disclosure

  3. CISA KEV

    KEV Listing

Renseignement sur les Menaces

Statut de l'Exploit

Preuve de ConceptInconnu
CISA KEVNO
Exposition InternetÉlevée
Rapports1 rapport de menace
NextGuard100% encore vulnérables

EPSS

0.03% (percentile 8%)

CISA SSVC

Exploitationnone
Automatisableyes
Impact Techniquetotal

Vecteur CVSS

RENSEIGNEMENT SUR LES MENACES· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H9.8CRITICALAttack VectorNetworkComment l'attaquant atteint la cibleAttack ComplexityLowConditions requises pour exploiterPrivileges RequiredNoneNiveau d'authentification requisUser InteractionNoneSi une action de la victime est requiseScopeUnchangedImpact au-delà du composant affectéConfidentialityHighRisque d'exposition de données sensiblesIntegrityHighRisque de modification non autorisée de donnéesAvailabilityHighRisque d'interruption de servicenextguardhq.com · Score de base CVSS v3.1
Que signifient ces métriques?
Attack Vector
Réseau — exploitable à distance via internet. Aucun accès physique ou local requis.
Attack Complexity
Faible — aucune condition spéciale requise. Exploitable de manière fiable.
Privileges Required
Aucun — sans authentification. Aucune identifiant requis pour exploiter.
User Interaction
Aucune — attaque automatique et silencieuse. La victime ne fait rien.
Scope
Inchangé — impact limité au composant vulnérable.
Confidentiality
Élevé — perte totale de confidentialité. L'attaquant peut lire toutes les données.
Integrity
Élevé — l'attaquant peut écrire, modifier ou supprimer toutes les données.
Availability
Élevé — panne complète ou épuisement des ressources. Déni de service total.

Logiciel Affecté

Composantaxios
Fournisseurusebruno
Plage affectéeCorrigé dans
< 3.2.1 – < 3.2.13.2.2

Informations sur le paquet

Dernière mise à jour
1.16.0récemment

Classification de Faiblesse (CWE)

CWE-494CWE-506

Chronologie

  1. Réservé
  2. Publiée
  3. Modifiée
  4. EPSS mis à jour

Mitigation et Contournementstraduction en cours…

The immediate mitigation for CVE-2026-34841 is to upgrade Axios to version 3.2.1 or later. If an immediate upgrade is not feasible due to compatibility issues or breaking changes, consider temporarily isolating affected applications and implementing stricter network controls to limit potential damage. Review all dependencies and consider using tools like npm audit or yarn audit to identify and address other potential vulnerabilities. Implement stricter dependency pinning to prevent unexpected updates from malicious sources. Consider using a Software Bill of Materials (SBOM) to gain better visibility into your application's dependencies and potential risks.

Comment corrigertraduction en cours…

Actualice el paquete axios a la versión 1.4.1 o superior para mitigar el riesgo de un ataque de la cadena de suministro que introduce un troyano de acceso remoto entre plataformas.  Verifique las dependencias de sus proyectos para asegurarse de que no haya versiones vulnerables de axios.  Considere utilizar herramientas de análisis de seguridad de la cadena de suministro para detectar y prevenir futuros ataques.

Newsletter Sécurité CVE

Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.

Questions fréquentestraduction en cours…

What is CVE-2026-34841 — RAT in Axios?

CVE-2026-34841 is a critical vulnerability where compromised Axios npm packages deployed a cross-platform Remote Access Trojan (RAT), allowing attackers to gain unauthorized access to systems.

Am I affected by CVE-2026-34841 in Axios?

You are affected if you use Axios versions 0.0.0–<3.2.1 and ran npm install between March 31, 2026, 00:21 UTC and ~03:30 UTC. Check your dependencies immediately.

How do I fix CVE-2026-34841 in Axios?

Upgrade Axios to version 3.2.1 or later. If immediate upgrade is not possible, isolate affected applications and implement stricter network controls.

Is CVE-2026-34841 being actively exploited?

While no confirmed exploitation reports are public, the presence of a RAT suggests a high likelihood of active exploitation. Monitor your systems closely.

Where can I find the official Axios advisory for CVE-2026-34841?

Refer to the npm security advisory and related security blogs for updates and further information: [https://www.npmjs.com/advisories/1774](https://www.npmjs.com/advisories/1774)

Ton projet est-il affecté ?

Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.

Scanner gratuitementRechercher des CVE