Supply Chain · Watch Tuesday · 09 June 2026 End-of-day synthesis 4 watches · 23 items

From the watchtower — what crossed the wire today.

A four-times-a-day standing watch on the open-source supply chain. Each pass pulls newly disclosed CVEs, freshly catalogued KEV adds, and active attacks reported in the wild — then ranks them by severity for the day.

The story of the day — A late GHSA wave after 18:00 ET delivered unauthenticated RCE in PhoenixStorybook and a connector-ACL bypass in Dex, extending a day already shaped by the Shai-Hulud PyPI worm campaign and five CISA KEV additions.

The Shai-Hulud lineage grew teeth today. Socket and BleepingComputer confirmed three self-propagating worm variants — Mini Shai-Hulud, Miasma, and Hades — seeding malicious wheels into PyPI using native extensions and .pth import hooks that fire at interpreter startup without the victim ever importing the package. Nineteen trojanized, science-focused packages reached the hundreds-of-thousands-of-downloads range before takedown; targeting was deliberate: bioinformatics and MCP-server developers who pip-install broadly inside credential-rich environments. Microsoft began restoring some GitHub repos pulled during the Miasma probe while keeping others offline. CISA added five actively exploited flaws to the KEV catalog: the Check Point IKEv1 auth bypass (due June 11), a LiteLLM command-injection RCE, a Chromium V8 browser RCE, a root-level privilege escalation in Cisco Catalyst SD-WAN Manager, and an Arista EOS tunnel-decapsulation segmentation bypass.

Late escalation at 21:00 ET: a batch of GHSA advisories landed after the 18:00 synthesis closed. The most significant is unauthenticated RCE in PhoenixStorybook (< 1.1.0) — a three-step chain from WebSocket attribute injection through unsanitized HEEx template interpolation to unsandboxed `Code.eval_quoted_with_env/3` execution requiring no credentials. Alongside it, Dex — the CNCF OIDC identity provider common to Kubernetes clusters — disclosed a connector-ACL bypass (CVSS 8.7): `handleTokenExchange` omits the `isConnectorAllowed` check that both redirect-flow and authorization-code handlers enforce, letting a client restricted to one connector exchange tokens via any other. Pheditor 2.0.1–2.0.3 completes the critical tier with a whitelist-bypass OS command injection (CVSS 9.9) through the unsanitized `dir` parameter in the terminal handler. A Symfony Runtime patch bypass for CVE-2024-50340 (wide blast radius across the 5.4/6.4/7.x/8.0 lines) rounds out the medium tier.

→ Operational priority for the night clear the KEV queue first — Check Point sk185033 (due June 11), then LiteLLM v1.83.7-stable and the Chromium stable-channel update pushed fleet-wide. Scrub site-packages and CI pipelines for unexpected .pth files and rotate any developer or CI credential that touched the Socket-disclosed package list. Then address the late additions: if you run Dex with explicit per-client AllowedConnectors, upgrade past 20260303131938-204dbb2e3ff7 before morning; firewall or upgrade any externally-reachable PhoenixStorybook instance to 1.1.0; and audit for Pheditor deployments to apply the escapeshellarg fix.

21:00 ET · Last Watch

Critical · GHSA · 2026-06-09 ·added 21:00 ET

PhoenixStorybook: Unauthenticated RCE via HEEx template injection in playground component

Three-step chain: a `psb-assign` WebSocket event delivers attacker-controlled attribute values, which are interpolated unsanitized into a HEEx template string via `ComponentRenderer.attributes_markup/1`, then compiled and evaluated through `Code.eval_quoted_with_env/3` with full Kernel access. No authentication is required, no session pre-condition. Any publicly reachable PhoenixStorybook instance on 0.5.0–1.0.x is an execution target; the storybook route alone is the attack surface. Upgrade to 1.1.0 immediately; if you expose storybook externally for design collaboration, firewall it before the upgrade lands.

Critical · GHSA · 2026-06-09 ·added 21:00 ET

Pheditor 2.0.1–2.0.3: Whitelist bypass via unsanitized `dir` parameter achieves authenticated RCE (CVSS 9.9)

The terminal handler validates shell metacharacters on `$command` only; `$dir` is passed raw to `shell_exec()`. One semicolon in the dir field — `dir=/tmp; <payload> #` — completely evades the whitelist check. Any authenticated pheditor user with terminal permission enabled (the default) can drop a PHP webshell in the web root in three HTTP requests. Pheditor is commonly self-hosted in web roots for admin convenience; audit for deployments, apply `escapeshellarg()` on the dir parameter, or pull the upstream patch.

High · GHSA · 2026-06-09 ·added 21:00 ET

Dex: Token-exchange endpoint skips per-client AllowedConnectors ACL check (CVSS 8.7)

`handleTokenExchange` in `server/handlers.go` checks connector existence and grant type but omits the `isConnectorAllowed(client.AllowedConnectors, connID)` call that the redirect-flow and authorization-code handlers both make. A client explicitly restricted to `corp-okta` can still exchange tokens via a lower-trust connector through this endpoint — an identity-class ACL bypass. Dex is the dominant OIDC IdP for Kubernetes; any cluster where clients carry non-empty `AllowedConnectors` is affected. Update past `v0.0.0-20260303131938-204dbb2e3ff7`.

Medium · GHSA · 2026-06-09 ·added 21:00 ET

PhoenixStorybook: Unauthenticated atom-table exhaustion via LiveView event params causes BEAM VM crash

Seven LiveView event handlers call `String.to_atom/1` on attacker-supplied params without pre-checking for existing atoms. Flooding the BEAM atom table to its ~1,048,576 ceiling crashes the entire Erlang VM node, not just the storybook process. Blast radius is limited in practice since storybook is dev tooling, but the risk escalates if storybook shares a node with production services. Covered by the 1.1.0 upgrade alongside the RCE fix.

Medium · GHSA · 2026-06-09 ·added 21:00 ET

Symfony Runtime: CVE-2024-50340 patch bypass — APP_ENV/APP_DEBUG still settable via parse_str/SAPI argv mismatch

The prior fix gated argv reads on `empty($_GET)`, but `parse_str()` and the web SAPI disagree on certain inputs: a crafted GET request can leave `$_GET` empty while still populating `$_SERVER['argv']` with attacker-controlled flags. `SymfonyRuntime::getInput()` then parses them, restoring the same APP_ENV/APP_DEBUG manipulation primitive as CVE-2024-50340. Preconditions: web SAPI, `register_argc_argv=On`. Wide blast radius — affects symfony/runtime and symfony/symfony across the 5.4/6.4/7.x/8.0 lines. Patched in 5.4.52, 6.4.40, 7.4.12, 8.0.12.

Context · GHSA · 2026-06-09 ·added 21:00 ET

PhoenixStorybook: Cross-session PubSub topic injection via URL query param

The storybook iframe LiveView accepts a PubSub topic from the URL query string (`params["topic"]`) without session validation, letting a visitor who knows another user's playground topic broadcast onto it and hijack the playground↔iframe handshake. Low practical impact — dev tooling, no credential or RCE path — but part of the 2026-06-09 PhoenixStorybook advisory batch. Covered by the 1.1.0 upgrade.

18:00 ET · First Watch

Critical · ·added 18:00 ET

Chromium V8 out-of-bounds read/write — crafted HTML achieves RCE in renderer sandbox, all Chromium browsers (CISA KEV June 9)

CISA added CVE-2026-11645 to KEV on June 9 — an out-of-bounds read/write in Chromium's V8 engine where a crafted HTML page achieves code execution inside the renderer sandbox, affecting every Chromium-derived browser (Chrome, Edge, Opera) plus the Electron apps and embedded webviews that ship their own copy of the engine. A KEV listing means active exploitation is confirmed, and the browser is the single piece of attacker-reachable code sitting on every developer and operator workstation. Push the Chrome/Edge stable-channel update fleet-wide before the June 23 due date, and don't overlook Electron-based dev tools that bundle their own Chromium build.

Critical · ·added 18:00 ET

Cisco Catalyst SD-WAN Manager — authenticated local attacker runs commands as root via crafted file (CISA KEV June 9)

Cisco's Catalyst SD-WAN Manager (formerly vManage) lets an authenticated local attacker execute arbitrary commands as root by supplying a crafted file — CISA added it to KEV on June 9, so this is being exploited in the wild, not theorised. SD-WAN Manager is the control plane for an entire WAN fabric; root on that box is root over the routing policy of every branch it manages. The authenticated-local precondition makes it a privilege-escalation and lateral-movement target rather than a perimeter breach, but the consequence is total. Apply the Cisco fix (cisco-sa-sdwan-privesc-4uxFrdzx) and tighten who can reach and authenticate to the management plane.

Critical · ·added 18:00 ET

Arista EOS — switch decapsulates and forwards unexpected tunneled packets, bypassing segmentation (CISA KEV June 9)

Arista EOS incorrectly decapsulates and forwards tunneled packets whose destination IP matches a configured decapsulation address, letting an attacker route traffic past segmentation that assumes the switch will drop unexpected tunnels — CISA added it to KEV on June 9. The flaw turns a data-plane forwarding switch into an inadvertent pivot across network boundaries, the kind of trusted-control bypass that quietly undermines the assumptions firewalls and microsegmentation are built on. It only applies to EOS devices configured with the relevant tunnel decapsulation, so the blast radius is your specific topology. Apply Arista's security advisory 0137 fix and audit which switches have decap enabled.

High · ·added 18:00 ET

Microsoft restores some GitHub repos, keeps others offline as Miasma worm probe continues

Microsoft has begun restoring GitHub repositories pulled offline during the Miasma investigation while deliberately keeping others dark as the probe continues — the platform-side response to the self-propagating PyPI worm campaign that leads today's watch. The signal worth reading: GitHub is treating affected repos as still-untrusted rather than rushing them back, which implies the worm's reach into source hosting was broader than the initial PyPI package list suggested. If your CI pulls from any repo that went dark this week, don't assume a restored repo is a clean repo — re-verify commit provenance before you build against it again.

12:00 ET · Forenoon Watch

Critical · ·added 12:00 ET

Check Point Security Gateway VPN auth bypass — IKEv1 flaw, known ransomware use (CISA KEV added June 8)

Check Point's Security Gateway allows unauthenticated remote attackers to bypass password authentication and establish a remote-access VPN connection via a flaw in the deprecated IKEv1 key exchange — CISA added it to KEV on June 8 with a three-day remediation window (due June 11) and flagged ransomware use as Known. The combination of no-auth-required exploitation and confirmed ransomware operator interest makes this the operational priority item of the day: any perimeter VPN that still accepts IKEv1 is a front-door entry point. Apply the Check Point hotfix immediately, and if patching is delayed, disable IKEv1 entirely and validate that your VPN listener is not internet-exposed on unexpected ports.

Critical · ·added 12:00 ET

BerriAI LiteLLM command injection — any authenticated low-privilege key can run arbitrary commands (CISA KEV June 8)

LiteLLM — the proxy/gateway layer used by many AI/ML teams to route across OpenAI, Anthropic, and other model providers — has a command injection vulnerability (CWE-78) reachable by any holder of an internal-user key, including low-privilege API keys issued to developers or service accounts. CISA added it to KEV on June 8; the fix is v1.83.7-stable. The threat model here is specifically adversarial: if your LiteLLM instance issues keys to external developers, contractors, or CI pipelines, any of those key-holders can now execute arbitrary commands on the host. Upgrade to v1.83.7-stable, rotate all existing keys post-upgrade, and audit who holds internal-user credentials.

Critical · ·added 12:00 ET

shell-quote (npm): newline bypass in quote() allows shell command injection via object .op values (>= 1.1.0 ≤ 1.8.3)

shell-quote's quote() function fails to escape newlines (\n, \r, U+2028, U+2029) in object token .op values — JavaScript's /(.)/g regex does not match line terminators, so a crafted .op passes through unescaped and POSIX shells treat the literal newline as a command separator, executing everything after it. The precondition is that a caller constructs an {op:} token from attacker-influenced input (e.g. a deserialized argument array, or an envFn that consults an external source) — narrow but both are documented API surface. The fix replaces per-character escaping with an allowlist of the seven operators the parser actually emits; anything else now throws TypeError. Upgrade shell-quote past 1.8.3; if you wrote any code that passes {op:} objects built from external input to quote(), audit and patch regardless of upgrade status.

High · ·added 12:00 ET

FUXA (npm): unauthenticated SSRF via Socket.IO DEVICE_WEBAPI_REQUEST — full response body returned, internal network reachable (≤ 1.1.14-1243)

FUXA (fuxa-server on npm), an open-source SCADA/ICS web HMI used in industrial control deployments, skips its isSocketWriteAuthorized() check on the DEVICE_WEBAPI_REQUEST and DEVICE_PROPERTY Socket.IO handlers. An unauthenticated attacker connects to the Socket.IO endpoint, emits a device-webapi-request event with an arbitrary address, and FUXA makes the axios.get() call server-side and broadcasts the full response back — instant SSRF with response reading, reachable from the open internet on any exposed FUXA instance. From there, cloud metadata endpoints, internal OPC UA servers, and ODBC databases are all in scope. FUXA tends to run on-prem networks with flat trust; scan your inventory for exposed fuxa-server instances and upgrade past 1.1.14-1243.

High · ·added 12:00 ET

anyquery macOS browser plugins: unescaped URL in AppleScript template enables JXA/AppleScript code injection (Chrome/Brave/Edge/Safari, CVSS 9.0)

anyquery's macOS browser plugins (chrome, brave, edge, safari) interpolate a SQL-controlled url value directly into an AppleScript template via fmt.Sprintf without escaping, then pass it to osascript. Any authenticated anyquery user who can run SQL INSERT INTO chrome_tabs can inject arbitrary AppleScript/JXA and execute native macOS automation commands under the user's session. The precondition is local CLI access to anyquery, which makes this primarily a privilege-escalation or lateral-move vector in shared dev environments or CI runners that use anyquery for browser automation. Versions fixed pre-date commit 0abd460; pin to a commit after 2024-08-26.

Medium · ·added 12:00 ET

Authlib (pip): open redirect in OAuth 2.0 authorization endpoint — attacker-controlled redirect_uri accepted before client validation (< 1.6.10 or == 1.7.0)

Authlib's OAuth 2.0 authorization endpoint issues a 302 redirect to an attacker-supplied redirect_uri before performing client lookup or URI validation — no valid client registration, authenticated user, or prior state required. The vector: send a request with an unsupported response_type and an arbitrary redirect_uri, receive an open-redirect response. Open redirects in OAuth authorization endpoints are phishing amplifiers: a redirect from your legitimate domain to an attacker's credential-harvesting page carries the trust of your brand. Upgrade authlib to ≥ 1.6.10 (skip 1.7.0, also affected).

Context · ·added 12:00 ET

WinRAR CVE-2025-8088 path traversal exploited by Russia-aligned APTs (Gamaredon, UAC-0226) in active Ukraine campaign

Trend Micro reports that Earth Dahu (Gamaredon) and SHADOW-EARTH-066 (UAC-0226) are actively exploiting CVE-2025-8088, a path traversal in WinRAR, to deliver stealers against Ukrainian targets — continuing to leverage the flaw nearly a year after patches were available. File-format parser vulnerabilities weaponized by state-aligned actors are the same threat model as supply-chain archive poisoning, and the stealer payloads overlap with credential-theft tooling seen in developer-environment campaigns. Patch WinRAR on any Windows infrastructure still running unpatched versions; the non-zero patch lag here is the uncomfortable data point.

Context · ·added 12:00 ET

PoC: University of Toronto researchers build self-replicating AI worm using local open-weight LLMs — no human intervention, no commercial API

University of Toronto researchers published a preprint describing a proof-of-concept worm that uses a locally hosted open-weight LLM to reason through a network, generate per-target attack strategies, and self-replicate — without touching a commercial API or requiring human direction. It is research, not an observed campaign, but the supply-chain implication is the same one we saw with the Shai-Hulud PyPI worm earlier today: the attackers who were already hand-tuning .pth loaders and native extension payloads are the ones who will eventually automate the reconnaissance-and-pivot loop. File under threat-model evolution, not immediate operational action.

06:00 ET · Morning Watch

Critical · Socket · 2026-06-08 ·added 06:00 ET

New Shai-Hulud wave: self-propagating worms ship malicious PyPI wheels at bioinformatics and MCP developers

Socket reports a fresh Shai-Hulud campaign seeding malicious wheels into PyPI, with the newer packages using native extensions and .pth import hooks to auto-execute JavaScript stealers the moment the wheel is installed or even just present on sys.path. Three worm variants (Mini Shai-Hulud, Miasma, Hades) are targeting bioinformatics and MCP-server developers specifically — a deliberate pivot to audiences who pip-install broadly and run in credential-rich dev environments. BleepingComputer puts the confirmed scope at 19 trojanized science-focused packages collectively downloaded in the hundreds of thousands. The .pth-loader trick is the dangerous detail: it fires at interpreter startup, so the payload runs without the victim ever importing the package. Audit PyPI installs across dev and CI for the Socket-disclosed package list, scrub site-packages for unexpected .pth files, and rotate any developer or CI credential that touched an affected environment.

Critical · GHSA · 2026-06-08 ·added 06:00 ET

PHPSpreadsheet patch bypass — the fix for CVE-2026-34084 can be circumvented (≤ 1.30.4)

PHPSpreadsheet — the dominant PHP library for reading and writing Excel/ODS files, pulled in transitively by Laravel Excel and countless CMS/ERP exports — ships a GHSA-critical patch bypass for CVE-2026-34084 affecting all versions through 1.30.4. A patch bypass is the worst kind of regression to miss: teams that applied the original fix will believe they are covered while the underlying parsing flaw is still reachable. Because spreadsheet parsing is routinely exposed to untrusted user uploads, the realistic exploit path is a malicious .xlsx that triggers the bypass server-side. Upgrade past 1.30.4 to the fixed release, and if you patched CVE-2026-34084 earlier, do not assume that closed it — re-test against the bypass.

High · GHSA · 2026-06-08 ·added 06:00 ET

Netty batch: DNS cache poisoning, QUIC token forgery, IPv6 filter bypass, and memory-exhaustion DoS across resolver/handler/codec

Netty — the asynchronous networking core underneath a vast swath of JVM infrastructure (gRPC, Spring WebFlux, Elasticsearch, Cassandra clients, and more) — disclosed a cluster of high-severity advisories on 2026-06-08. The most consequential are DNS cache poisoning via missing bailiwick checks on NS and CNAME records (CVE-2026-45674 / CVE-2026-47691, CVSS 8.7), an IPv6 subnet-filter bypass from incorrect comparator masking (CVE-2026-44249, CVSS 8.1), a QUIC handler that accepts any client-supplied token (CVE-2026-44894), and an SNI handler that pre-allocates up to 16 MiB from nine attacker-controlled bytes (CVE-2026-45416). The DNS-poisoning and IPv6-filter issues are the ones to weigh first: both undermine controls (resolution integrity, allow/deny lists) that other layers trust implicitly. This is transitive-dependency territory — most teams won't have netty-resolver-dns or netty-handler in their direct manifest. Run a dependency-tree scan for io.netty:* ≤ 4.1.134.Final and ≤ 4.2.14.Final and upgrade to the patched 4.1.x / 4.2.x lines.

High · GHSA · 2026-06-08 ·added 06:00 ET

Puma PROXY Protocol v1 parser — remote memory exhaustion and repeated-header smuggling on persistent connections

Two high-severity advisories (CVE-2026-47736 memory exhaustion, CVE-2026-47737 repeated-header acceptance, both CVSS 7.5) hit Puma's PROXY Protocol v1 parser across the >= 5.5.0, < 7.2.1 and >= 8.0.0, < 8.0.2 ranges. Puma fronts a large fraction of production Rails and Rack apps, and PROXY Protocol is commonly enabled when Puma sits behind an L4 load balancer that forwards the client's real IP. An attacker who can reach the Puma listener directly — or through a proxy that doesn't strip the header — can exhaust memory, and the repeated-header handling opens a client-IP spoofing / smuggling angle that can defeat IP allowlists and rate limits. Upgrade to Puma 7.2.1 or 8.0.2, and confirm PROXY Protocol is only ever accepted from a trusted upstream, never from the open internet.

High · GHSA · 2026-06-08 ·added 06:00 ET

nebula-mesh control plane — missing ownership checks allow cross-operator privilege escalation (CVSS 9.9)

nebula-mesh (the juev/nebula-mesh management layer, < 0.3.4) exposes API endpoints with no ownership enforcement, letting one operator act on resources belonging to another — a cross-tenant privilege escalation rated CVSS 9.9, and one of a cluster of advisories (audit-log disclosure, missing CSRF tokens, YAML injection into agent config) filed against the same project the same day. The footprint is narrower than the day's library issues since this is a self-hosted niche tool, but for anyone running it as a shared control plane for a Nebula overlay the blast radius is the whole mesh: compromise one operator account and you can re-key or reconfigure peers you should never touch. Upgrade to 0.3.4, and until then restrict the management API to a trusted admin network.