Supply Chain · Watch Wednesday · 10 June 2026 End-of-day synthesis 4 watches · 34 items

From the watchtower — what crossed the wire today.

A four-times-a-day standing watch on the open-source supply chain. Each pass pulls newly disclosed CVEs, freshly catalogued KEV adds, and active attacks reported in the wild — then ranks them by severity for the day.

The story of the day — CISA KEV deadlines for TanStack and Nx Console land today as Miasma’s source code briefly leaks on GitHub and a new supply-chain vector — malicious MCP server config in pull requests — puts Claude Code Action CI pipelines at risk of secret exfiltration.

Today marks the CISA KEV remediation deadline for both the TanStack npm credential stealer and the Nx Console VS Code extension malware — two of the most damaging developer-tooling supply-chain hits in recent weeks. The onering Rust crate backdoor on crates.io, exfiltrating commit diffs to attacker infrastructure at every cargo build, remains live.

The Miasma story escalated mid-day: the credential-stealing worm’s source code was briefly published on GitHub before removal — a leak that likely placed the codebase in private hands even if the window was short, and should be expected to spawn variants with modified signatures. Separately, a high-severity advisory dropped for anthropics/claude-code-action: any PR author can add a malicious .mcp.json to their branch; when a maintainer triggers the action on that PR, all project MCP servers execute under full workflow permissions, yielding arbitrary code execution and exfiltration of every runner secret. The attack requires only the ability to open a pull request against a public repository — the normal state of every open-source project using this action.

→ Operational priority for the night audit every workflow that calls claude-code-action — switch the trigger from pull_request to pull_request_target, add a maintainer-approval label gate, and pin the action to a verified commit SHA before tomorrow’s PR queue opens.

18:00 ET · First Watch

High · GHSA · 2026-06-10 ·added 18:00 ET

Claude Code Action: malicious .mcp.json in PRs enables RCE and secret exfiltration on GitHub Actions runners

Untrusted pull requests can supply a malicious .mcp.json in the working directory; when a privileged user triggers anthropics/claude-code-action on the PR, enableAllProjectMcpServers loads all project MCP servers without sandbox or approval checks — yielding code execution on the Actions runner and exfiltration of any secrets the workflow can reach. The attack chain is: checkout PR head → read .mcp.json → run arbitrary MCP server process under workflow permissions. Any public repository using this action on bare pull_request triggers is exposed today. Switch to pull_request_target, gate behind a maintainer-approval label, and pin the action to a verified commit SHA rather than a mutable version tag.

High · GHSA · 2026-06-10 ·added 18:00 ET

Baileys (@whiskeysockets/baileys): crafted protocolMessage payload spoofs messages, corrupts app state, injects fake history

Any Baileys session on npm < 6.7.22 or < 7.0.0-rc12 can be sent a crafted placeholderResendMessage payload to trigger fake messages.upsert events with arbitrary message keys, corrupt the app state sync system via fake key shares, or inject fabricated WhatsApp history — no user interaction required beyond an open session. Baileys is widely used in open-source WhatsApp automation and chatbot frameworks. Upgrade to 6.7.22 or 7.0.0-rc12; no meaningful workaround exists for the state-sync jamming path.

High · BleepingComputer · 2026-06-10 ·added 18:00 ET

Miasma credential-stealer source code briefly leaked on GitHub before takedown

The Miasma worm’s source code was published to GitHub and taken down within hours. Even a short window is enough for the codebase to propagate privately — expect variants that share Miasma’s registry-targeting TTPs (GitHub account compromise → code-signing identity abuse → poisoned release artifacts) but with modified signatures. Update your scanning rules to target behavioral patterns rather than static hashes; treat any unsigned or newly-published releases from previously-clean GitHub accounts with elevated suspicion in the coming days.

High · CISA KEV · added 2026-06-09 · due 2026-06-23 ·added 18:00 ET

Arista EOS: tunnel decap bypass lets adjacent attackers inject traffic into tenant segments (CVE-2026-7473)

Arista EOS incorrectly decapsulates unexpected tunneled packets whose destination IP matches the switch’s own configured decap IP, forwarding them inward rather than dropping them. An attacker on an adjacent segment can use this to inject arbitrary traffic past VXLAN or GRE tenant isolation — a meaningful risk in multi-tenant data center fabrics. Added to CISA KEV June 9 with a June 23 deadline. Patch per Arista advisory SA-0137; assess tenant-isolation exposure on your EOS fabric in the meantime.

High · GHSA · 2026-06-10 ·added 18:00 ET

OpenTelemetry Operator: ServiceMonitor bearerTokenFile reads arbitrary local files and sends contents as bearer auth

The OTel Operator’s TargetAllocator converts ServiceMonitor.bearerTokenFile paths directly into Prometheus scrape auth CredentialsFile with no path restriction. An attacker with ServiceMonitor create/edit rights can point this field at any file on the Collector container — including /var/run/secrets/kubernetes.io/serviceaccount/token or mounted secret volumes — and harvest the contents via scraped metrics. Kubernetes RBAC for ServiceMonitor writes is the blast-radius boundary; restrict it to trusted namespaces and patch the operator.

Medium · GHSA · 2026-06-10 ·added 18:00 ET

vLLM artifact pin decay: --revision flag doesn’t cover GGUF files, image processors, or side weights

vLLM’s --revision and --code-revision pins don’t consistently apply to all artifact types: GGUF quantizations, image processors, retrieval side weights, and subfolder configs can still load from an unpinned default revision. A deployment that believes it is serving a reviewed model build may silently pick up behavior-affecting changes. Add out-of-band content-hash verification for any vLLM production deployment where model integrity is a compliance or security requirement.

Medium · BleepingComputer · 2026-06-10 ·added 18:00 ET

GitHub announces npm v12 security hardening targeting install-time supply-chain attack vectors

GitHub announced npm v12, expected next month, will restrict install-time script behaviors that have been the delivery mechanism for most of this week’s active campaigns. No detailed RFC yet; watch the npm GitHub discussions for the specific hooks targeted. This is the right mitigation layer, arriving after three active campaigns have already exploited the current model.

Medium · Socket · 2026-06-10 ·added 18:00 ET

Socket Firewall integrates into Replit AI-powered dev environment to block malicious packages at install time

Socket is extending its real-time malicious-package detection into Replit’s AI coding environment. AI-assisted development surfaces are a growing attack target — vibe-coding toolchains that auto-install LLM-suggested dependencies are natural targets for hallucinated-package-name attacks and typosquatting. Scanning at the IDE/install boundary is the right mitigation layer and a meaningful bright spot in a week dominated by registry compromises.

Medium · GHSA · 2026-06-10 ·added 18:00 ET

PDM: malicious wheel can write arbitrary files via path traversal in InstallDestination.write_to_fs()

PDM’s InstallDestination.write_to_fs() overrides the base class install path but replaces safe Path.resolve() + is_relative_to() validation with bare os.path.join(), performing no path canonicalization. A malicious wheel with directory-traversal entries can write arbitrary files outside the install destination. Same vulnerability class as Poetry CVE-2026-34591. Pin to the patched PDM release (PR #3787); if your CI pulls from any PyPI mirror or private index, verify the index has not served a malicious wheel against your projects.

13:00 ET · Forenoon Watch

Critical · Aikido · 2026-06-10 ·added 13:00 ET

Compromised Rust crate onering v1.4.1 exfiltrates your latest commit diff via malicious build.rs

The onering crate on crates.io was compromised at v1.4.1: the build script reads `git diff HEAD~1` and ships the output as a JSON payload to a hosted Sentry endpoint at every `cargo build`, silently leaking your in-progress source changes to an attacker-controlled collector. Any repository that ran a build against v1.4.1 should treat its uncommitted diff as exposed. Grep your Cargo.lock for onering; if v1.4.1 is present, rotate any secrets committed or staged during that build window and audit the repo's recent diff history for anything sensitive that was in-flight.

Critical · CISA KEV · added 2026-05-27 · due TODAY ·added 13:00 ET

Nx Console VS Code extension malicious code — CISA KEV remediation deadline today (CVE-2026-48027)

The CISA KEV remediation deadline for the Nx Console compromised-extension vulnerability lands today, June 10. The malicious version fetched an obfuscated payload that harvested credentials from disk and memory — secrets files, browser credential stores, env vars — with confirmed ransomware follow-on. If your CI/CD or developer machines have Nx Console installed, verify the extension version, rotate any credentials that lived on those machines, and check for lateral movement indicators in logs since the compromise window.

Critical · CISA KEV · added 2026-05-27 · due TODAY ·added 13:00 ET

Malicious TanStack versions published to npm — credential stealer, ransomware confirmed, KEV deadline today (CVE-2026-45321)

CISA's remediation deadline for the TanStack npm compromise also falls today. Malicious versions of TanStack packages were published under the trusted identity and dropped a credential-stealing payload; ransomware follow-on is confirmed in the KEV record. If any builds ran against a compromised TanStack version, treat the build environment's credentials as compromised. Run `npm audit` against affected projects, lock to known-good versions, and rotate tokens and secrets that were available in those environments.

Critical · GHSA · 2026-06-10 ·added 13:00 ET

PhoenixStorybook: Unauthenticated RCE via HEEx template injection in playground (CVE-2026-8467)

The phoenix_storybook playground accepts user-controlled attribute values over WebSocket and interpolates them unsanitized into a HEEx template that is then compiled with full Elixir `Kernel` access. No authentication is required. Any instance exposed beyond localhost is a one-shot RCE. PhoenixStorybook is typically a development tool, but it ships enabled by default on the dev router and developers sometimes run it on shared or cloud dev environments. If you deploy phoenix_storybook anywhere other than loopback, patch immediately or firewall the storybook path.

High · The Hacker News · 2026-06-09 ·added 13:00 ET

Microsoft restores some GitHub repos, keeps others offline as Miasma probe continues — 73 projects compromised

Microsoft confirmed 73 of its open-source repositories were compromised in the Miasma campaign to inject an information stealer. Some repos have been restored; others remain offline as the investigation continues. This is the same Miasma campaign that crossed into PyPI (covered June 7) — the attacker pattern is GitHub account compromise → code-signing identity abuse → poisoned release artifacts. If your projects depend on any Microsoft OSS repos that were recently offline or have uncharacteristic new releases, verify the release integrity out-of-band before pulling.

High · GHSA · 2026-06-10 ·added 13:00 ET

Dex: Token-exchange endpoint skips AllowedConnectors enforcement — per-client connector ACL bypassed

Dex's `handleTokenExchange` handler does not call `isConnectorAllowed` before issuing tokens, while all sibling handlers (redirect-flow, auth endpoint) enforce the same field correctly. A client with `allowedConnectors` set to restrict which identity providers it may use can have that restriction bypassed via the token-exchange path. Dex is widely used as the OIDC provider in Kubernetes clusters (ArgoCD, Harbor, Vault, Teleport). If your Dex clients have `allowedConnectors` set for security — rather than convenience — treat those clients' token-exchange grants as unpredictably scoped until you patch.

High · CISA KEV · added 2026-06-08 · due 2026-06-11 ·added 13:00 ET

Check Point Security Gateway VPN auth bypass via IKEv1 flaw — ransomware use confirmed, patch deadline tomorrow (CVE-2026-50751)

An unauthenticated remote attacker can bypass IKEv1 key exchange authentication on Check Point Security Gateway to establish a VPN session without valid credentials. CISA has confirmed ransomware operators are using this; the patch deadline is tomorrow June 11. Check Point has published a hotfix for the deprecated IKEv1 path — either apply it or disable IKEv1 if not needed. If IKEv1 sessions appear in your logs from unexpected sources since June 6, treat those connections as potentially adversarial.

High · CISA KEV · added 2026-06-08 ·added 13:00 ET

BerriAI LiteLLM command injection — any low-privilege internal key can run host commands (CVE-2026-42271)

LiteLLM's command injection flaw allows any authenticated caller — including low-privilege `internal-user` API keys — to execute arbitrary shell commands on the LiteLLM host. This is a full privilege escalation from API user to host. LiteLLM is widely deployed as an LLM proxy in internal AI platforms. Patch to v1.83.7-stable or later; if patching is blocked, audit who holds internal-user keys and restrict network access to the LiteLLM service to trusted callers only.

High · CISA KEV · added 2026-06-09 ·added 13:00 ET

Chromium V8 out-of-bounds read/write — crafted HTML executes code in renderer sandbox, all Chromium-based browsers (CVE-2026-11645)

A V8 OOB read-write reachable via a crafted HTML page enables renderer sandbox code execution across Chrome, Edge, Opera, and any Electron app using a vulnerable Chromium version. Added to CISA KEV June 9 with a June 23 deadline. Apply the Chromium stable channel update; for Electron-based internal tooling, check the bundled Chromium version and plan an expedited update if it predates the patch.

High · GHSA · 2026-06-10 ·added 13:00 ET

PhoenixStorybook: Unbounded atom creation from LiveView event params exhausts the Erlang atom table (CVE-2026-8469)

LiveView event parameters in phoenix_storybook are converted to atoms without interning guards. The Erlang atom table is a fixed-size non-GC'd structure; exhausting it crashes the BEAM process and takes down the entire Elixir application, not just the storybook route. This is a secondary issue to the RCE (GHSA-55hg-8qxv-qj4p) — if you're exposed to untrusted users, the RCE is the priority. If the storybook is behind authentication, this DoS vector still matters for shared-environment Elixir apps.

High · CISA KEV · added 2026-05-22 ·added 13:00 ET

Drupal Core SQL injection via database abstraction API — privilege escalation and RCE (CVE-2026-9082)

A SQL injection in Drupal's database abstraction layer allows privilege escalation and remote code execution via crafted requests. Drupal's broad internet presence makes this a high-value exploitation target. CISA added it to KEV, indicating active exploitation. Patch your Drupal installation; if a same-day patch isn't possible, check your WAF rules for the disclosed request patterns and enable Drupal's recent access log review for privilege-escalation indicators.

Medium · GHSA · 2026-06-10 ·added 13:00 ET

@hulumi/policies: policy packs bypassed by forging a Pulumi-URN logical name (CVE-2026-48033)

Several Hulumi policy rules granted exemptions based on the resource URN's logical name — the free-text portion a developer chooses. An attacker-controlled stack definition can set a logical name that matches the exemption pattern, silently bypassing hardening checks (e.g. S3 bucket hardening rules) at deploy time. This is one of four related bypasses fixed in @hulumi/policies 1.4.0; the others (GHSA-g759-4pxw-6692, GHSA-9vc9-4jv3-rf86) follow the same root cause. If you use Hulumi for AWS guardrails, upgrade all @hulumi/* packages to 1.4.0 and re-run a policy check over live stacks.

Medium · GHSA · 2026-06-10 ·added 13:00 ET

@hulumi/policies: IAM-role OIDC trust checks skip second provider when role trusts multiple OIDC issuers (CVE-2026-48032)

The G_OIDC_1 and G_OIDC_2 policy rules check GitHub Actions OIDC trust conditions on IAM roles but only inspect the first federated provider when multiple are listed. A role that trusts both GitHub OIDC and a second OIDC provider with a wildcard subject passes the policy check, defeating the overly-permissive-subject guardrail. Fixed in @hulumi/policies 1.4.0 alongside GHSA-rhgj-6g2c-frmm and GHSA-9vc9-4jv3-rf86. Review any IAM roles with multiple OIDC providers for overly broad `sub:` conditions.

Medium · GHSA · 2026-06-10 ·added 13:00 ET

SymfonyRuntime: CVE-2024-50340 patch bypass — web requests can still override APP_ENV/APP_DEBUG via parse_str/SAPI argv mismatch (CVE-2026-47767)

The CVE-2024-50340 fix gated argv reading on `empty($_GET)` as a proxy for CLI context, but `parse_str()` and the web SAPI build `$_GET` differently in edge cases — the proxy fails, and a crafted web request can still set `APP_ENV=prod` or `APP_DEBUG=true` via `--env`/`--no-debug` query string manipulation. The blast radius is the same as the original: bypassing environment-based security controls (disabling debug mode, or forcing prod mode to mask errors). Upgrade symfony/runtime to ≥7.2.x or apply the released patch; check whether your deployment exposes `register_argc_argv=On`.

Medium · CISA KEV · added 2026-06-09 ·added 13:00 ET

Cisco Catalyst SD-WAN Manager local privilege escalation to root via crafted file (CVE-2026-20245)

An authenticated local attacker on a Cisco SD-WAN Manager system can execute arbitrary commands as root by supplying a crafted file. This is a local privesc, not remote — but SD-WAN management planes are high-value targets and attackers who reach the local shell (e.g. via a previous exploit or misconfig) will chain this. Added to KEV June 9 alongside Arista EOS (CVE-2026-7473). Patch per Cisco advisory cisco-sa-sdwan-privesc-4uxFrdzx.

Medium · GHSA · 2026-06-10 ·added 13:00 ET

Go REST API boilerplate go-base ships hardcoded JWT secret 'random' as both template default and code fallback (CVE-2026-48031)

The dhax/go-base boilerplate sets `AUTH_JWT_SECRET=random` in its `dev.env` template AND adds `viper.SetDefault("auth_jwt_secret", "random")` as a compile-time fallback, meaning any deployment that didn't explicitly override the secret is signing JWTs with the well-known string 'random'. An attacker can forge valid tokens for any user. With 1,685 GitHub stars this boilerplate has meaningful downstream reach. If your project was forked from go-base or uses its auth module, verify the running secret value is neither 'random' nor empty, and rotate issued tokens immediately.

Medium · CISA KEV · added 2026-05-26 ·added 13:00 ET

LiteSpeed cPanel Plugin privilege escalation — any cPanel user can execute scripts as root (CVE-2026-48172)

The LiteSpeed cPanel Plugin exposes a path through the cPanel user-end UI that executes scripts with root privileges, accessible to any cPanel account holder on a shared hosting server. Shared hosting providers running LiteSpeed are the primary risk surface. Any tenant with a cPanel account can escalate to root on the host. CISA added this to KEV in late May, indicating active exploitation. Patch the LiteSpeed cPanel plugin or restrict cPanel plugin access if a patch isn't immediately available.

Context · Aikido · 2026-06-10 ·added 13:00 ET

ENISA 2026 SBOM report: 334 organizations generate SBOMs; most don't operationalize them

ENISA's 2026 study across 334 organizations shows a consistent pattern: SBOMs are being generated (often to satisfy contractual or regulatory requirements) but are not being ingested into vulnerability management workflows. The gap between 'we have SBOMs' and 'we use them to triage CVE-2026-48027-style compromises faster' is the operational story here. Worth sharing with your CISO or compliance team as context for why SBOM tooling investments need to extend beyond generation.

Context · CISA KEV · added 2026-05-29 ·added 13:00 ET

Palo Alto Networks PAN-OS authentication bypass — unauthorized VPN connection without valid credentials (CVE-2026-0257)

PAN-OS contains an auth bypass allowing attackers to establish unauthorized VPN sessions without valid credentials. Added to CISA KEV May 29; pairs with Check Point CVE-2026-50751 (also a VPN auth bypass, added June 8) as part of a broader pattern of VPN gateway authentication attacks this cycle. Remediation deadline has passed for government; if you run PAN-OS VPN gateways, verify patch status and review remote access logs for anomalous session establishment.

Context · GHSA · 2026-06-10 ·added 13:00 ET

@hulumi/drift: Drift classifier fails open on adapter errors, over-promotes Mixed verdicts to None (CVE-2026-48036)

When any of hulumi/drift's four adapters (Pulumi-state, provider-version, CloudTrail, etc.) throws an error, the classifier defaults to a 'None / no drift' verdict rather than failing safe. Similarly, 'Mixed / high' verdicts are downgraded to 'None' in edge conditions. The result: genuine infrastructure drift gets silently suppressed in the 6-hour cache. This is a correctness issue for drift detection, not an immediate exploit path. Fixed in @hulumi/drift 1.4.0 alongside the hulumi/policies cluster.

Context · CISA KEV · added 2026-05-27 ·added 13:00 ET

Daemon Tools Lite embedded malicious code — high impact on confidentiality, integrity, availability (CVE-2026-8398)

Daemon Tools Lite received a malicious code injection (CWE-506) with CISA noting high CIA impact. Details remain sparse in the KEV record; Daemon Tools' own blog references a 'security incident'. Context-tier here because Daemon Tools is consumer-grade disk-image software with limited enterprise footprint, but any developer machine or CI agent that has Daemon Tools installed should be audited. Cross-reference with the Nx Console and TanStack compromises — all three are developer-tooling supply chain hits within the same KEV batch.

Context · CISA KEV · added 2026-05-21 ·added 13:00 ET

Langflow origin validation error — CISA KEV (CVE-2025-34291)

Langflow's origin validation vulnerability was added to CISA KEV in May. Langflow is a visual AI workflow builder increasingly used for internal LLM orchestration, so it follows the AI-infra supply-chain pattern seen with LiteLLM. No additional detail in the KEV record beyond 'origin validation error'; check the Langflow security advisory for specifics and patch status. If you expose Langflow endpoints beyond localhost, treat this as a priority upgrade.

06:00 ET · Morning Watch

Medium · GHSA · 2026-06-09 ·added 06:00 ET

Net::IMAP: Command injection via non-synchronizing literal in raw argument (CVE-2026-47240)

A follow-on to CVE-2026-42257: the patch that hardened net-imap raw-data arguments (shipped in 0.6.4 / 0.5.14) validated against CRLF injection but not against non-synchronizing literals. If the IMAP server doesn’t advertise LITERAL+ or LITERAL-, it may interpret a raw argument ending in a valid-looking literal prefix as the start of a new pipelined command, enabling CRLF injection into search criteria or fetch attribute strings. The attack requires attacker-controlled input to #search, #uid_search, #sort, #thread, #fetch, or #uid_fetch raw arguments, which is uncommon but possible in apps that pass user-supplied search terms directly. Upgrade net-imap beyond 0.6.4 / 0.5.14; if you can’t, validate that raw string arguments contain no CR or LF bytes before use.

Medium · GHSA · 2026-06-09 ·added 06:00 ET

Net::IMAP: Command injection via CRLF in ID and enable command arguments (CVE-2026-47242)

Net::IMAP#id and Net::IMAP#enable do not validate their arguments for CRLF sequences. An attacker-controlled string passed to either method can inject arbitrary IMAP commands after the CRLF. The more realistic vector is #id: client ID fields are sometimes populated from configuration files, version strings, or environment variables, any of which could be tainted in a misconfigured deployment. The #enable surface is narrower because callers nearly always pass compile-time constants. Upgrade net-imap; if upgrading is not possible, ensure ID field values are never derived from untrusted input and never pass user-controlled strings to #enable.

Context · GHSA · 2026-06-09 ·added 06:00 ET

Net::IMAP: Denial of service via incomplete raw argument validation — regex misses {0} / {0+} (CVE-2026-47241)

The CVE-2026-42257 patch introduced a regex to block literal-continuation smuggling in raw data arguments, but the regex doesn’t match the edge cases {0} or {0+}. An attacker-controlled search criteria or fetch attr ending in either sequence passes validation, is sent verbatim, and causes the server to treat the next command as a continuation of the first. In a single-threaded connection this hangs the command until the server times out the connection; in a multi-threaded connection the second command’s thread also hangs. The effect is a denial of service against the IMAP connection, not code execution. This and CVE-2026-47240 / CVE-2026-47242 form a triple of net-imap hardening issues — a single upgrade resolves all three.