Supply Chain · Watch Sunday · 31 May 2026 End-of-day synthesis 4 watches · 7 items

From the watchtower — what crossed the wire today.

A four-times-a-day standing watch on the open-source supply chain. Each pass pulls newly disclosed CVEs, freshly catalogued KEV adds, and active attacks reported in the wild — then ranks them by severity for the day.

The story of the day — DPRK's Contagious Interview crew ports its npm playbook to PHP, dropping malware in a Packagist-listed package on an otherwise quiet KEV-burndown Sunday.

Most of today's signal is patch-backlog work. The morning and forenoon passes backfilled six CISA KEV adds from the first three weeks of May — Cisco Catalyst SD-WAN sitting under Emergency Directive ED-26-03, two PAN-OS bugs (Captive Portal root and a separate GlobalProtect auth-bypass), a LiteLLM SQL injection that leaks every upstream model-provider key the proxy brokers, the Linux kernel sphere-transfer LPE in the xint.io copy_fail series, and an admin-required Ivanti EPMM RCE that historically chains with last quarter's pre-auth bugs.

The day's only fresh active-campaign signal landed at 18:41 UTC with Socket's writeup of Famous Chollima — North Korea's Contagious Interview cluster — moving from npm into Packagist. The malicious loader sits inside a legitimate-looking Packagist-listed PHP package and on its corresponding GitHub branch, fetching and executing remote code on a `composer install` under cover of a hiring lure. The TTP is identical to the npm-side Contagious Interview campaigns this watch has tracked for the last eighteen months — same actor, same lure, new ecosystem. Bright spot today is CISA itself: the 20 May historical batch (MS08-067, the Aurora-era IE use-after-frees, Acrobat 9's heap overflow, the DirectX QuickTime parser bug) is the KEV catalogue being deliberately used as the written external evidence to finally retire the long tail of EoL Windows, Reader, and IE still parked in OT and kiosk corners of the estate.

→ Operational priority for the night if your PHP build pulls Packagist packages onto developer workstations or CI without an allowlist, vendor the dependencies you trust and block the rest before Monday's first `composer install` — Famous Chollima's payload fetches on install, not on first run.

18:00 ET · First Watch

Critical · Socket · Famous Chollima Targets PHP Developers Through Compromised Packagist Package · 2026-05-31 ·added 18:00 ET

Famous Chollima ports its npm playbook to Packagist — DPRK Contagious Interview loader hides inside a real PHP package and its GitHub branch, fetching remote code on install

Socket caught a live malicious package on Packagist — the PHP ecosystem's npm-equivalent registry — attributed to Famous Chollima, the North Korean cluster behind the Contagious Interview hiring-lure campaigns that have been hitting npm for eighteen months. The loader sits in a legitimate-looking package and on a corresponding GitHub branch, fetching and executing an obfuscated remote payload during a normal `composer install`. The cross-ecosystem migration is the story: same actor, same TTP (fake recruiter sends candidate a coding test that pulls a poisoned dep), now landed on PHP. If your developers install PHP packages from Packagist on their workstations without a vendoring / allowlist gate, treat every workstation that ran `composer install` since the package's first publication as suspect and pull the IOCs from Socket's writeup. Longer-term: the playbook of ‘candidate-as-vector’ is now ecosystem-agnostic — interview environments should run in throwaway VMs regardless of language.

06:00 ET · Morning Watch

Critical · CISA KEV · CVE-2026-20182 · Cisco / Catalyst SD-WAN Controller · added 2026-05-14 · CISA ED-26-03 + Hunt/Hardening supplement ·added 06:00 ET

KEV backfill: Cisco Catalyst SD-WAN Controller / Manager auth bypass (CVE-2026-20182) — unauthenticated path to administrative privilege, sitting under active CISA Emergency Directive ED-26-03

Backfilled from the 14 May KEV add — first appearance on this watch. CVE-2026-20182 is an unauthenticated auth-bypass in the Cisco Catalyst SD-WAN Controller and Manager (the on-prem brain that pushes config to the edge fabric) that hands an attacker administrative privilege on the orchestration plane. The KEV is the lighter of the two signals here: CISA also issued Emergency Directive ED-26-03 and a supplemental Hunt and Hardening directive, which is the same posture they took for Ivanti Connect Secure in 2024. If you operate Catalyst SD-WAN on-prem, the ED is still active — patch per Cisco advisory cisco-sa-sdwan-rpa2-v69WY2SW, then walk the Hunt guidance for signs of post-exploitation config push (rogue policies, new admin users, unexpected vSmart/vBond trust changes). If you outsource SD-WAN, confirm your provider has patched and run the Hunt steps for you in writing.

High · CISA KEV · CVE-2026-0300 · Palo Alto Networks / PAN-OS · added 2026-05-06 ·added 06:00 ET

KEV backfill: Palo Alto PAN-OS Captive Portal out-of-bounds write (CVE-2026-0300) — unauthenticated RCE as root on PA-Series and VM-Series firewalls

Backfilled from the 6 May KEV add — distinct from yesterday's CVE-2026-0257 GlobalProtect auth-bypass but in the same product. CVE-2026-0300 is an out-of-bounds write (CWE-787) in the User-ID Authentication Portal (Captive Portal) handler that lets an unauthenticated attacker execute code with root privileges on PA-Series and VM-Series firewalls via a crafted packet. This is the more severe of PAN-OS's two recent KEV adds: 0257 gets you onto the VPN, 0300 gets you root on the box itself. If you patched 0257 yesterday under the 3-day federal clock you may already be covered — verify the PAN-OS train the fixed build belongs to also includes 0300's fix (see https://security.paloaltonetworks.com/CVE-2026-0300). If Captive Portal isn't a feature you use, disable it on the User-ID config as a defense-in-depth step regardless.

High · CISA KEV · CVE-2026-42208 · BerriAI / LiteLLM · added 2026-05-08 · advisory GHSA-r75f-5x8p-qvmc ·added 06:00 ET

KEV backfill: BerriAI LiteLLM SQL injection (CVE-2026-42208) — attacker reads (and potentially writes) the LLM-proxy database, exfiltrating model-provider API keys

Backfilled from the 8 May KEV add. LiteLLM is the open-source proxy a lot of teams put in front of OpenAI / Anthropic / Bedrock so internal apps see one API and one auth surface; its database stores per-team virtual keys and the upstream provider keys it brokers. A SQL injection in the proxy lets an attacker read — and possibly modify — that database, which means harvesting every model-provider credential the proxy holds and (worse) issuing themselves virtual keys that look legitimate to your billing. Patch per the LiteLLM advisory, then rotate every upstream provider key (OpenAI, Anthropic, Azure, Bedrock IAM, Vertex SA) the proxy has touched and revoke any virtual keys not in your inventory. This is the same operational shape as the GitHub Actions ‘reusable proxy with stored credentials’ incidents — the proxy concentrates blast radius.

Medium · CISA KEV · CVE-2026-31431 · Linux / Kernel · added 2026-05-01 · fix in linux-cve-announce 2026-04-22 ·added 06:00 ET

KEV backfill: Linux kernel sphere-transfer privilege escalation (CVE-2026-31431) — local LPE, patched in stable trees, distro packages now catching up

Backfilled from the 1 May KEV add. CVE-2026-31431 is the kernel half of the xint.io ‘copy_fail’ series — an incorrect sphere transfer (CWE-669) that allows local privilege escalation. Local LPE is rarely a first-mover bug but it is the standard last step in the container-escape and CI-runner chains we have spent the last 18 months watching, which is presumably why CISA flagged it. The kernel fix landed in the stable trees on 22 April; the operational ask today is making sure your distro images (Amazon Linux 2023, Ubuntu 22.04/24.04, RHEL/Alma/Rocky, Debian stable) have absorbed it. If you run a custom kernel, check the patch at git.kernel.org and confirm it is present in your build. If you have a GitHub Actions self-hosted runner fleet or a Kubernetes node pool you have not rebooted in May, schedule it.

Context · CISA KEV · CVE-2026-6973 · Ivanti / Endpoint Manager Mobile (EPMM) · added 2026-05-07 ·added 06:00 ET

KEV backfill: Ivanti Endpoint Manager Mobile (EPMM) input validation — authenticated-admin RCE (CVE-2026-6973), May 2026 advisory bundle

Backfilled from the 7 May KEV add. CVE-2026-6973 is an improper-input-validation RCE in Ivanti EPMM — but it requires a remotely authenticated user with administrative access already, which is why it sits at context rather than high. The reason to track it: EPMM has shipped enough auth-bypass and pre-auth bugs in the last two years (CVE-2023-35078, CVE-2024-22026, CVE-2024-7593-class issues, the May 2025 chain) that ‘admin-required’ in EPMM usually means ‘admin obtained by chaining one of last quarter’s bugs’. Apply Ivanti’s May 2026 advisory bundle (it patches several other CVEs in the same release), confirm your EPMM admin UI is not internet-reachable, and review admin-account audit logs for sessions that did not come from your jump-host range.

Context · CISA KEV · 5 historical CVEs · Microsoft + Adobe · all added 2026-05-20 ·added 06:00 ET

KEV historical backfill (added 2026-05-20): five end-of-life Microsoft / Adobe RCEs from 2008–2010 — MS08-067 (CVE-2008-4250), DirectX QuickTime (CVE-2009-1537), Acrobat heap overflow (CVE-2009-3459), IE UAFs CVE-2010-0249 + CVE-2010-0806

CISA spent 20 May adding five long-known, long-exploited classics to KEV: MS08-067 (Conficker / Server Service RPC buffer overflow), the DirectX QuickTime parser bug from MS09-028, the Adobe Acrobat heap overflow from APSB09-15, and the two IE Aurora-era use-after-frees CVE-2010-0249 and CVE-2010-0806. All five are end-of-life products; the operational implication for any team running modern Windows or modern Reader is nil. The reason these are on the page at all is the signal: KEV continues to be used as the definitive ‘still-being-exploited-in-the-wild’ ledger, including against EoL targets that are still running in industrial / OT / kiosk corners of the estate. If your inventory still has a Windows XP or Server 2003 box, an unpatched Acrobat 9, or IE6–8 anywhere, the KEV add is your written external evidence to retire it.