v vanemmerik.ai / SUPPLY-CHAIN
vanemmerik.ai / supply-chain / 2026-06-05
Supply Chain · Watch Friday · 05 June 2026 End-of-day synthesis 4 watches · 16 items

From the watchtower — what crossed the wire today.

A four-times-a-day standing watch on the open-source supply chain. Each pass pulls newly disclosed CVEs, freshly catalogued KEV adds, and active attacks reported in the wild — then ranks them by severity for the day.

The story of the day — IronWorm's npm campaign doubles to 50-plus poisoned packages and picks up a self-spreading worm and a kernel rootkit, while CISA's KEV clock runs out on a Magento RCE tonight.

The day opened with two npm supply-chain threads and closed with them merged into one. What this morning was “IronWorm backdoors 36 packages” is now, by JFrog's afternoon count, a 50-plus-package campaign pairing the Rust IronWorm infostealer with a self-spreading Miasma worm — and the infostealer hides behind an eBPF kernel rootkit, so an install-time hit means the host is owned, not just the token.

Around that core, the registries kept handing over enterprise tooling: the @cap-js/openapi compromise (SAP CAP's OpenAPI plugin) harvests npm tokens, cloud credentials, and SSH keys and republishes itself, and Hola Browser for Windows was trojanised to drop a cryptominer. Two CISA KEV clocks are also running — the Mirasvit Full Page Cache Warmer deserialization RCE on Magento is due tomorrow, and a fresh KEV add today puts SolarWinds Serv-U on an unauthenticated-DoS notice through June 19. The bright spot stays defensive: RubyGems shipped a Bundler cooldown that holds back freshly-published gems during resolution — the same buy-time-before-the-worm idea this page keeps asking for, now landing in a second ecosystem.

→ Operational priority for the night patch or pull the Mirasvit cache-warmer extension on any Magento store before the June 6 KEV deadline, then re-audit npm lockfiles against JFrog's updated IronWorm/Miasma list and rebuild — not clean — any developer or CI machine that ran an affected package, treating the eBPF rootkit as full host compromise.

21:00 ET · Last Watch
High · GHSA-pr2w-4gpj-cpq4 · 2026-06-05 ·added 21:00 ET

Twig sandbox escape: multiple __toString() policy bypasses via unguarded string coercion (GHSA-pr2w-4gpj-cpq4)

Twig's template sandbox can be escaped through several __toString() coercion points — code paths that stringify an object without first routing the call through the sandbox security policy, letting a crafted template reach methods the policy was meant to block. Anyone rendering user-supplied or semi-trusted Twig templates (CMS theming, email-template editors, low-code form/report builders) is exposed, because the sandbox is the control and the control is what leaks. Upgrade Twig to the patched release and audit any feature that lets users author Twig markup. Disclosed 17:47 ET, just before tonight's synthesis lock — logged here on the Last Watch.

Medium · GHSA-5389-f7vh-wxj8 · 2026-06-05 ·added 21:00 ET

Bugsink ships four advisories in one release: two medium tenant-isolation gaps + two low cross-project leaks (GHSA-5389-f7vh-wxj8 et al.)

Bugsink — a self-hosted, Sentry-compatible error tracker — disclosed four issues at once: two medium tenant-isolation gaps (project scoping missing on sourcemap/debug-file lookup, plus a tag-flood DoS) and two low cross-project information leaks where knowing an issue's UUID surfaces another project's data. The shape is classic multi-tenant authz drift: object lookups that trust an ID without re-checking project ownership. If you run Bugsink for more than one team, upgrade and confirm project scoping is enforced on every lookup path.

18:00 ET · First Watch
Critical · CISA KEV · added 2026-06-05 ·added 18:00 ET

CISA KEV: SolarWinds Serv-U unauthenticated DoS via Content-Encoding: deflate — added June 5, deadline June 19 (CVE-2026-28318)

CISA catalogued CVE-2026-28318 today with a federal remediation deadline of June 19. SolarWinds Serv-U crashes on a specially crafted POST carrying a Content-Encoding: deflate header — uncontrolled resource consumption, no authentication required, so any unauthenticated client that can reach the service can take it down at will. It is DoS rather than RCE, but a KEV listing means real-world exploitation is already observed, and Serv-U is an internet-facing managed-file-transfer product with a long history of being targeted. If you run Serv-U, apply the vendor fix and put a WAF rule or rate limit in front of the deflate-encoded POST path now.

Critical · The Hacker News / JFrog · 2026-06-05 ·added 18:00 ET

IronWorm campaign escalates: JFrog ties it to a new self-spreading Miasma worm variant across 50+ npm packages, with an eBPF kernel rootkit

The morning's IronWorm npm story got worse through the day: JFrog now counts over 50 affected packages and pairs the Rust-based IronWorm infostealer with a fresh self-propagating Miasma worm variant, the two distributed through both freshly-published malicious packages and poisoned versions of legitimate ones. IronWorm scrapes every secret it can find on a developer machine and hides behind an eBPF kernel rootkit, which puts it well beyond grep-the-logs detection — a rootkit at install time means the host is owned, not just the npm token. Treat the 36-package count from this morning as the floor, not the ceiling: re-audit lockfiles against JFrog's updated list, and on any machine that ran an affected package assume kernel-level compromise and rebuild rather than clean.

Context · BleepingComputer · 2026-06-05 ·added 18:00 ET

Chinese espionage group UNC5221 deploys Brickstorm plus undocumented Plenet and AgentPSD malware to persist in Microsoft 365

Not a registry compromise, but it rhymes with the persistence half of every supply-chain incident on this page: UNC5221 is using the Brickstorm backdoor and two previously undocumented implants, Plenet and AgentPSD, to keep long-term access to compromised Microsoft 365 tenants. The throughline with the npm campaigns is that initial access is cheap and the real cost is dwell time — whether the foothold arrives via a poisoned dependency or an espionage implant, the defensive work is the same: detect and evict persistence, then rotate everything the foothold could reach.

12:00 ET · Forenoon Watch
Critical · CISA KEV · added 2026-06-03 ·added 12:00 ET

CISA KEV: Mirasvit Full Page Cache Warmer PHP deserialization RCE — patch deadline June 6 (CVE-2026-45247)

CISA catalogued CVE-2026-45247 on June 3 with a federal remediation deadline of tomorrow, June 6. Mirasvit's Full Page Cache Warmer extension for Magento/Adobe Commerce deserializes attacker-controlled data from the CacheWarmer cookie without validation, enabling unauthenticated RCE — the classic PHP object injection shape. Exploitability is high: no authentication required, cookie-delivered payload, Magento stores are common targets. If you run a Magento instance with this extension installed, apply the vendor patch before end of day Friday or take the extension offline.

Critical · BleepingComputer · 2026-06-04 ·added 12:00 ET

IronWorm infostealer backdoors 36 npm packages in active supply-chain campaign

36 packages on the npm registry have been backdoored with IronWorm, an infostealer that harvests credentials and exfiltrates sensitive data from developer machines at install or build time. The attack lands on the same morning as the @cap-js/openapi credential-harvest advisory, and the TTP is identical: poisoned package runs in CI or a developer environment, reaches everything that environment can touch. Full list of affected packages is in the BleepingComputer writeup — audit your package-lock.json and CI install logs against it. Treat any credentials accessible on machines where affected packages ran as compromised; rotate npm tokens, cloud credentials, and SSH keys before anything else.

Critical · GHSA-jpvj-wpmj-h7rv · 2026-06-04 ·added 12:00 ET

@cap-js/openapi v1.4.1 supply chain compromise — credential harvest and self-propagation (GHSA-jpvj-wpmj-h7rv, CVSS 9.6)

A compromised version of @cap-js/[email protected] was published on May 19 and the GHSA advisory landed this week. The package is the OpenAPI plugin for SAP's Cloud Application Programming (CAP) model — enterprise Node.js tooling with broad deployment. The malicious version harvested npm tokens, cloud provider credentials, and SSH keys from any machine that installed it, then attempted self-propagation by publishing poisoned releases from stolen tokens — the same cascade-infection TTP seen in solana/web3.js. Upgrade to >=1.4.2. If 1.4.1 was ever installed in your environment, rotate all credentials accessible on those machines and audit npm publish logs for re-publication events from your tokens.

High · BleepingComputer · 2026-06-04 ·added 12:00 ET

Hola Browser for Windows supply chain attack drops undisclosed cryptominer executable

The Windows version of Hola Browser has been compromised in a supply chain attack that delivers an undeclared executable identified as a cryptocurrency miner. Hola Browser already has a well-documented history of routing user bandwidth through its P2P network for commercial purposes, so this is a second payload layered on top of an already privacy-hostile baseline. If Hola Browser appears anywhere on your endpoints or SOE image, remove it and run EDR scans for the miner process; treat credentials accessible on those machines as potentially exposed given the existing traffic-routing behaviour.

High · GHSA-rxv8-25v2-qmq8 · 2026-06-04 ·added 12:00 ET

React Router v7 / Remix ≥2.9.0 DoS via single-fetch serialization amplification (GHSA-rxv8-25v2-qmq8, CVSS 7.5)

React Router v7.0–7.13.x in Framework Mode and Remix >=2.9.0 with Single Fetch enabled are vulnerable to denial of service: specific data shapes passed through the turbo-stream serializer create a CPU bottleneck that can take down the Node.js process. Affects server-rendered routes that reflect user-controlled input into server responses. Patch by upgrading react-router to >=7.14.0 (or turbo-stream to >=3.0.0 for Remix); if upgrade is not immediately possible, add request timeouts and rate limiting in front of affected routes. Only Framework Mode is affected — Declarative Mode (<BrowserRouter>) and Data Mode are not.

High · GHSA-2r75-cxrj-cmph · 2026-06-05 ·added 12:00 ET

wasmtime-wasi: TRUNCATE flag bypasses FilePerms::WRITE restriction in WASI filesystem sandbox (GHSA-2r75-cxrj-cmph, CVSS 7.5)

In wasmtime-wasi, a filesystem preopen granted DirPerms::all() and FilePerms::READ (but not WRITE) can be circumvented: calling path_open or descriptor.open-at with the TRUNCATE flag but requesting only READ access bypasses the WRITE check entirely, allowing a Wasm guest to truncate — and thus destroy — host files it should only be able to read. The fix: verify, then parse — check permissions before honoring open flags. Affected range is wide (< 24.0.9, >= 25.0.0 and < 36.0.10, >= 37.0.0 and < 44.0.2); upgrade to the relevant patched version. Any embedding that uses wasmtime-wasi to sandbox untrusted Wasm with read-only filesystem grants is exposed.

High · GHSA-cq3f-vc6p-68fh · 2026-06-04 ·added 12:00 ET

Better Auth: device authorization flow accepts any authenticated session for approval, enabling code hijack (GHSA-cq3f-vc6p-68fh, CVSS 7.6)

better-auth versions 1.6.0–1.6.10 with the deviceAuthorization plugin enabled accept any authenticated session to approve or deny a pending device-code grant — the endpoint does not verify that the approving session matches the user who initiated the flow. An attacker who observes a pending user code (via screen-share, shoulder-surfing, support logs, or referrer headers) can approve the grant with their own session, hijacking the device authorization. Upgrade to >=1.6.11. Realistic exposure is narrow but the scope widens wherever user codes are visible in shared environments — support channels, pair-programming sessions, shared dashboards.

06:00 ET · Morning Watch
Critical · GHSA-8whc-2wmv-ww35 / CVE-2026-49279 / CVE-2026-47696 · 2026-06-04 ·added 06:00 ET

WWBN AVideo: unauthenticated stored DOM XSS in YPTSocket plugin fires in every admin's session (GHSA-8whc-2wmv-ww35, CVSS 9.6) — plus a sanitizer-bypass sibling and a wallet-credit forgery

Three advisories landed together for the open-source AVideo video CMS, the worst being an unauthenticated stored DOM XSS (CVSS 9.6) in the YPTSocket plugin: getWebSocket.json.php hands a signed WebSocket token to any anonymous caller, and MessageSQLiteV2::onOpen renders attacker-controlled metadata straight into the online-users debug panel — so any unauthenticated visitor can run JavaScript in the authenticated origin of every admin viewing that panel. A companion (CVE-2026-49279) bypasses the autoEvalCodeOnHTML sanitizer by stashing the payload in the json key, which msgToResourceId() reads with higher priority than the sanitized msg key — fix one path and the other still fires. A third (CVE-2026-47696, CVSS 4.3) lets any logged-in user mint arbitrary wallet balance because processPayment.json.php hardcodes paymentSuccess=true and credits the wallet on an attacker-supplied amount with no Authorize.Net verification. If you self-host AVideo, upgrade now, disable YPTSocket until you have, and audit wallet balances if AuthorizeNet + YPTWallet were enabled.

High · GHSA-74m6-4hjp-7226 · 2026-06-04 ·added 06:00 ET

Klever-Go: P2P MultiDataInterceptor leaks global throttler slots on malformed compressed batches — remote DoS (GHSA-74m6-4hjp-7226, CVSS 7.5)

In the Klever blockchain node, MultiDataInterceptor.ProcessReceivedMessage takes a global throttler slot via StartProcessing() but the decompression-error path returns without releasing it, so a stream of malformed compressed batches steadily exhausts the global processing budget and stalls the node — a cheap remote DoS against any peer. The fix moves the slot release into a guarded defer. If you operate Klever-Go validators or RPC nodes, upgrade to v1.7.17; nodes on < v1.7.17 are exposed to any peer that can send them P2P traffic.

Medium · Socket · 2026-06-05 ·added 06:00 ET

RubyGems ships a Bundler cooldown: newly-published gems can be held back during dependency resolution

Bundler 4.0.13 adds an opt-in cooldown that refuses to resolve a gem version published within a configurable recency window, so a freshly-pushed malicious release can't be pulled into your build the moment it lands. This is the ecosystem importing the same defensive idea npm and others have been circling — buy time for a poisoned version to be caught and yanked before it reaches CI. Worth enabling on any Ruby pipeline that auto-resolves; it directly blunts the same-day-worm pattern this page keeps logging.

Context · BleepingComputer · 2026-06-04 ·added 06:00 ET

Magecart campaign abuses Stripe's API infrastructure to host the skimmer payload and exfiltrate card data

Not an open-source package compromise, but it rhymes: a new Magecart skimmer hides both its card-stealing payload and the exfiltrated data inside Stripe's own API infrastructure, so the malicious traffic blends into a trusted payment endpoint that egress filters and CSPs already allow. The lesson for anyone running a checkout page is the same as for any trusted-dependency abuse — an allowlisted, reputable host is not evidence the content riding on it is benign. Audit the scripts actually loaded on payment pages, not just their origins.