Supply Chain · Watch Monday · 01 June 2026 End-of-day synthesis 4 watches · 17 items

From the watchtower — what crossed the wire today.

A four-times-a-day standing watch on the open-source supply chain. Each pass pulls newly disclosed CVEs, freshly catalogued KEV adds, and active attacks reported in the wild — then ranks them by severity for the day.

The story of the day — Mini Shai-Hulud lands inside Red Hat's official npm scope — the trusted-vendor namespace compromise the ecosystem has been preparing for since last summer.

Red Hat's official @redhat-cloud-services npm scope was backdoored today with a worm derived from the open-sourced Mini Shai-Hulud malware. Socket caught it first; Aikido, BleepingComputer, and The Hacker News (which is calling the campaign "Miasma") corroborate within hours.

This is the trusted-vendor shape the npm ecosystem has been bracing for since last summer's original Shai-Hulud: install-time payload, CI/CD secret exfiltration, self-propagation to reachable repositories. The day's other live attack — codexui-android, an npm package marketed as a remote UI for OpenAI Codex — is smaller (29,000+ weekly downloads, still live on npm at writing) but carries the same install-on-trust shape and is exfiltrating Codex auth tokens from every developer who runs it. Underneath the active campaigns, three KEV adds reinforce the registry-trust theme — Nx Console's VS Code extension (CISA flags ransomware use as known), TanStack's npm packages (same flag), and a fresh same-day Oracle WebLogic add with a 72-hour federal deadline. The developer-tooling layer is having a bad week: dual critical Vitest browser-mode CVEs and six concurrent praisonai-platform authorization advisories round out the slate.

→ Operational priority for the night grep every CI build log and developer-workstation install record from the past 72 hours for @redhat-cloud-services, codexui-android, @tanstack/*, and Nx Console; treat any match as a credentials-compromised build, rotate cloud and OpenAI/Codex tokens that touched those environments, and pin lockfiles to clean versions before tomorrow's first build.

18:00 ET · First Watch

Critical · CISA KEV · CVE-2024-21182 · Oracle WebLogic Server · added 2026-06-01 · due 2026-06-04 ·added 18:00 ET

Oracle WebLogic Server unspecified RCE (CVE-2024-21182) added to CISA KEV — unauthenticated T3/IIOP attack, June 4 federal deadline

CISA added an Oracle WebLogic Server unspecified vulnerability (CVE-2024-21182, from Oracle's July 2024 CPU) to KEV today with a three-day federal deadline of June 4. The flaw allows an unauthenticated attacker with T3 or IIOP network access to compromise the server with complete data access. WebLogic T3 ports are routinely reachable on internal networks and occasionally on the internet; if you run WebLogic, apply Oracle's July 2024 CPU immediately and block T3/IIOP at the perimeter.

Critical · CISA KEV · CVE-2026-48027 · Nx Console · added 2026-05-27 · due 2026-06-10 · ransomware use: known ·added 18:00 ET

Nx Console VS Code extension shipped with embedded credential-stealing malware (CVE-2026-48027) — KEV added 2026-05-27, ransomware-linked

A malicious version of the Nx Console VS Code extension was published to the marketplace; the extension fetched an obfuscated payload that harvested credentials from disk and memory on developer workstations. CISA flags ransomware use as "known", meaning these credentials are being weaponised against the developers' organisations downstream. The blast radius is every dev who installed the compromised version of the Nx monorepo tool's IDE extension during the window. Audit VS Code extension install logs, rotate any credentials a developer machine could have held, and pin Nx Console to a known-clean version. Reference: GHSA-c9j4-9m59-847w.

High · CISA KEV · CVE-2026-45321 · TanStack · added 2026-05-27 · due 2026-06-10 · ransomware use: known ·added 18:00 ET

TanStack npm packages compromised — malicious versions published under trusted identity to steal credentials (CVE-2026-45321), KEV ransomware-linked

Malicious versions of TanStack packages were published to npm under the project's trusted identity, shipping credential-stealing malware to anyone who installed during the compromise window. TanStack ships Router, Query, Table, and other widely-used React/Vue libraries — the install base is meaningful. CISA marks ransomware use as known. If your lockfiles bumped any @tanstack/* package over the last two weeks, treat that build as credentials-compromised and roll back to a pre-incident version. Reference: GHSA-g7cv-rxg3-hmpx (TanStack/router advisory).

12:00 ET · Forenoon Watch

Critical · Socket · Mini Shai-Hulud Campaign Hits Red Hat Cloud Services npm Packages · 2026-06-01 (Aikido, BleepingComputer, The Hacker News "Miasma" corroborating) ·added 12:00 ET

Mini Shai-Hulud worm compromises official @redhat-cloud-services npm packages — CI/CD secrets harvested on install

Multiple packages under the official @redhat-cloud-services npm scope were backdoored with a worm derived from the open-sourced Mini Shai-Hulud malware; the payload runs at install time and exfiltrates cloud credentials and secrets from CI/CD pipeline environments before spreading to reachable repositories. Trusted-vendor namespace compromise is the worst-case supply chain shape: developers don't scrutinize packages that look like they ship from Red Hat. Pull the specific affected package names from Socket's writeup, treat every CI pipeline run that installed any @redhat-cloud-services package as potentially compromised, rotate all cloud credentials present in those environments, and pin lockfiles to a clean version while a patched release lands.

Critical · The Hacker News · OpenAI Codex Authentication Tokens Stolen in codexui-android npm Supply Chain Attack · 2026-06-01 ·added 12:00 ET

codexui-android npm package steals OpenAI Codex auth tokens — 29,000+ weekly downloads, still live on npm

codexui-android is marketed on GitHub and npm as a remote web UI for OpenAI Codex; it has accumulated 29,000+ weekly downloads and exfiltrates Codex authentication tokens from any developer who installs it. The package remains available on npm at time of publication. Check package-lock.json and node_modules for codexui-android across developer workstations and CI/CD environments, revoke and rotate any OpenAI/Codex API keys on affected machines, and file a security report against the package via the npm advisory form.

High · GHSA · GHSA-87xg-pxx2-7hvx · [email protected] · CVE-2026-47423 ·added 12:00 ET

DOMPurify 3.4.4 XSS bypass via <selectedcontent> re-clone (CVE-2026-47423) — browser refreshes payload after sanitizer walks past it

DOMPurify 3.4.4 allowlisted <selectedcontent>, a new HTML element that browsers auto-clone from <option> nodes; a crafted payload survives because the browser re-renders the selectedcontent subtree after DOMPurify has already finished walking it, landing unsanitized HTML in the DOM. The vulnerable range is precisely 3.4.4 — 3.4.3 and 3.4.5 are unaffected. Pin to 3.4.5 (or roll back to 3.4.3 if that's simpler); the fix is already released.

High · GHSA · GHSA-63gr-g7jc-v8rg · @agenticmail/mcp < 0.9.27 ·added 12:00 ET

@agenticmail/mcp < 0.9.27 HTTP transport missing authentication — any reachable host can invoke master-key mail operations

When @agenticmail/mcp starts in HTTP mode (--http or MCP_HTTP=1), the /mcp endpoint accepts requests without any authentication layer; the server then forwards calls using its own configured AGENTICMAIL_MASTER_KEY, so any peer that reaches the port can invoke privileged mail operations under the server's identity. MCP HTTP transports are increasingly used in agentic pipelines with networked services. Upgrade to 0.9.27 and run only with stdio unless network-level access control is confirmed.

High · GHSA · GHSA-2h32-95rg-cppp · @vitest/browser 4.0.17–4.1.5, 5.0.0-beta.0–beta.2 · CVE-2026-47428 ·added 12:00 ET

Vitest browser mode XSS via unsanitized otelCarrier query parameter (CVE-2026-47428) — arbitrary JS executed in test runner origin

The /__vitest_test__/ route in affected @vitest/browser versions injects the otelCarrier query parameter directly into an inline module script without sanitization; an attacker controlling a URL opened in a Vitest browser runner can execute arbitrary JavaScript in the test server's origin. The attack surface is CI environments that open browser test UIs or shared developer test runners. Upgrade to @vitest/browser 4.1.6 or 5.0.0-beta.3.

High · GHSA · GHSA-5xrq-8626-4rwp · vitest < 4.1.0 · CVE-2026-47429 ·added 12:00 ET

Vitest UI server arbitrary file read via deprecated isFileServingAllowed (CVE-2026-47429) — Windows and network-exposed setups at risk

The /__vitest_attachment__ handler in vitest < 4.1.0 uses the deprecated isFileServingAllowed function incorrectly, allowing path traversal to files outside the project root. Impact is worst when the Vitest UI is exposed to the network (--api.host) or running on Windows, where file path handling differs. Upgrade to vitest 4.1.0; if you've been exposing the Vitest UI port for remote dev workflows, treat it as a file disclosure risk until patched.

High · GHSA · GHSA-8g2p-pqm3-fcfh + 5 related · praisonai-platform < 0.1.4 · CVE-2026-47413 and related ·added 12:00 ET

praisonai-platform < 0.1.4 authorization bypass cluster — six advisories cover privilege escalation to owner, workspace deletion, and cross-tenant data access

Six advisories landed simultaneously for praisonai-platform covering broken authorization across multiple API endpoints: any workspace member can escalate themselves or an arbitrary user to owner (GHSA-8g2p-pqm3-fcfh), delete the entire workspace with a single DELETE (GHSA-g8rr-7rj2-f627), and interact with issue, project, and comment endpoints across workspace boundaries without authorization (GHSA-xwq8-frcg-77q8, GHSA-cp4f-5m9r-5jc2, GHSA-943m-6wx2-rc2j). The root cause is middleware that checks only workspace membership, not minimum role or ownership, applied inconsistently across routes. Upgrade to 0.1.4 and audit workspace owner lists for unexpected additions.

Medium · GHSA · GHSA-q53q-5r4j-5729 · rattler < 0.43.2 · CVE-2026-47425 ·added 12:00 ET

rattler < 0.43.2 noarch:python entry-point path traversal allows arbitrary file write outside install prefix (CVE-2026-47425)

rattler's EntryPoint::FromStr fails to sanitize the command field in a conda package's info/link.json before joining it onto the install prefix; a malicious noarch:python package can use ../ sequences to write executable files outside the environment, including clobbering existing tools like bin/pip. Affected tools include pixi and rattler-build. Upgrade rattler to 0.43.2; if you install noarch:python packages from public channels in automated pipelines, audit recent installs for unexpected files above the environment root.

Medium · GHSA · GHSA-4g6j-g789-rghm · github.com/nezhahq/nezha < 1.14.15 / < 2.0.12 · CVE-2026-48119 ·added 12:00 ET

Nezha monitoring platform allows any agent to forge service-monitor results for other users' services (CVE-2026-48119)

Nezha's gRPC service-monitor result handler authenticates the submitting agent but does not verify the agent was assigned to monitor the reported service ID; a low-privilege user with one valid agent can submit fake up/down results for any other tenant's monitored service. This corrupts monitoring integrity and can suppress real incident alerts. Not a code-execution path. Upgrade to nezha 1.14.15 (v1 branch) or 2.0.12 (v2 branch).

Context · CISA KEV · CVE-2008-4250, CVE-2009-1537, CVE-2009-3459, CVE-2010-0249, CVE-2010-0806 · added 2026-05-20 · due 2026-06-03 ·added 12:00 ET

CISA KEV legacy batch: five 2008–2010 Windows, IE, and Adobe CVEs re-added with June 3 federal deadline — Conficker (MS08-067), Aurora (CVE-2010-0249), and three others

CISA added five vulnerabilities from 2008–2010 to KEV on 2026-05-20 with a BOD 22-01 remediation deadline of 2026-06-03 (two days out): CVE-2008-4250 (MS08-067, the Conficker worm RCE in Windows Server Service), CVE-2009-1537 (DirectShow QuickTime parser RCE), CVE-2009-3459 (Adobe Acrobat heap overflow), CVE-2010-0249 (IE use-after-free, Operation Aurora), and CVE-2010-0806 (second IE use-after-free). CISA re-adds legacy CVEs when renewed exploitation is detected — MS08-067 in particular persists in unpatched legacy manufacturing, ICS, and embedded Windows environments. If you operate or manage legacy Windows infrastructure, the June 3 federal deadline is the operational hook; check for unpatched Windows XP/2003/2008 nodes and verify IE is not the default browser on any active system.

Context · CISA KEV · CVE-2009-1537 · Microsoft DirectX · added 2026-05-20 · due 2026-06-03 ·added 12:00 ET

CISA KEV: Microsoft DirectX QuickTime parser RCE (CVE-2009-1537) — part of May 20 legacy batch, June 3 deadline

Part of the May 20 legacy KEV batch — see kev:CVE-2008-4250 for context. CVE-2009-1537 is a NULL byte overwrite in DirectShow's QuickTime Movie Parser Filter (quartz.dll) allowing RCE via a crafted QuickTime media file; relevant primarily in legacy Windows environments that still process media through DirectShow.

Context · CISA KEV · CVE-2009-3459 · Adobe Acrobat/Reader · added 2026-05-20 · due 2026-06-03 ·added 12:00 ET

CISA KEV: Adobe Acrobat/Reader heap overflow RCE (CVE-2009-3459) — part of May 20 legacy batch, June 3 deadline

Part of the May 20 legacy KEV batch — see kev:CVE-2008-4250 for context. CVE-2009-3459 is a heap-based buffer overflow in Adobe Acrobat and Reader triggered by a crafted PDF; relevant in legacy environments running unpatched Acrobat or PDF-processing pipelines built on old Reader versions.

Context · CISA KEV · CVE-2010-0249 · Microsoft Internet Explorer · added 2026-05-20 · due 2026-06-03 ·added 12:00 ET

CISA KEV: Internet Explorer use-after-free RCE (CVE-2010-0249, Operation Aurora) — part of May 20 legacy batch, June 3 deadline

Part of the May 20 legacy KEV batch — see kev:CVE-2008-4250 for context. CVE-2010-0249 is the Operation Aurora IE use-after-free used by APT17 in the 2010 Google breach campaign; re-addition to KEV signals it remains weaponized in some context, likely against legacy IE deployments in OT/kiosk environments.

Context · CISA KEV · CVE-2010-0806 · Microsoft Internet Explorer · added 2026-05-20 · due 2026-06-03 ·added 12:00 ET

CISA KEV: Internet Explorer use-after-free RCE (CVE-2010-0806) — part of May 20 legacy batch, June 3 deadline

Part of the May 20 legacy KEV batch — see kev:CVE-2008-4250 for context. CVE-2010-0806 is a second IE use-after-free allowing RCE via a crafted HTML object; like CVE-2010-0249 this is EoL software but re-added to KEV, indicating active exploitation in legacy IE environments (kiosk systems, ICS HMI terminals, legacy banking terminals).