v vanemmerik.ai / SUPPLY-CHAIN
vanemmerik.ai / supply-chain / 2026-06-11
Supply Chain · Watch Thursday · 11 June 2026 End-of-day synthesis 4 watches · 25 items

From the watchtower — what crossed the wire today.

A four-times-a-day standing watch on the open-source supply chain. Each pass pulls newly disclosed CVEs, freshly catalogued KEV adds, and active attacks reported in the wild — then ranks them by severity for the day.

The story of the day — npm moves to disarm install scripts on the same day a supply-chain worm's source code leaks and PDM lands its second code-execution flaw — the install-time attack surface is the whole story.

The thread running through today is the install-time execution surface — the moment a package manager runs code just because you fetched or installed something. PDM proved it twice (pre-parse `.pdm-plugins` execution and a traversal-writing wheel), echoing the pip and Poetry bugs before it.

Against that backdrop, GitHub said npm v12 will turn install scripts off by default — the single change that neutralizes the Nx, Red Hat, and worm-style campaigns this watch keeps logging, and the clearest defensive win the page has carried. The timing is pointed: the source code for the Miasma supply-chain worm briefly leaked on GitHub in the same window, a proliferation event that makes copycat registry campaigns more likely, while CISA added an unauthenticated-root Ivanti Sentry RCE and a CodeIgniter4 upload bypass that turns `shell.php` into a webshell. The credential-rich middle of the AI stack stayed loud too — the Meta Ads MCP token leak and the KEV-listed LiteLLM command injection both let a low-trust caller reach operator secrets.

→ Operational priority for the night before you upgrade to npm v12, inventory which of your own dependencies actually need an install script and allow-list them explicitly — then patch Ivanti Sentry (KEV due 06-14) and CodeIgniter4 (4.7.2) anywhere they face untrusted input.

18:00 ET · First Watch
Critical · CISA KEV · Ivanti Sentry (added 2026-06-11) ·added 18:00 ET

CISA KEV adds Ivanti Sentry OS command injection — a remote unauthenticated attacker gets root-level RCE on the mobile gateway (CVE-2026-10520)

CISA catalogued an OS command-injection (CWE-78) in Ivanti Sentry (formerly MobileIron Sentry) that lets a remote unauthenticated attacker reach root-level RCE when the appliance is in an unmanaged state. Sentry brokers mobile and email access into internal systems, so a perimeter box that hands root to anyone who can reach it is initial access by design — the same shape as the Check Point IKEv1 bypass below. Apply Ivanti's fix now, confirm the appliance is not sitting in the vulnerable unmanaged state, and treat it as past-due fast: KEV due date is 2026-06-14.

High · BleepingComputer (2026-06-10) ·added 18:00 ET

Source for the 'Miasma' credential-stealing worm — the framework behind recent open-source supply-chain attacks — briefly leaked on GitHub

The Miasma attack framework, the credential-stealer that has been self-propagating through open-source ecosystems via supply-chain attacks, was briefly published in full on GitHub before takedown. Source-code exposure of a working supply-chain worm is a proliferation event: every copy pulled during the window lowers the bar for the next crew to fork it and ship its own poisoned-package campaign. Expect a fresh wave of npm/PyPI typosquats and self-propagating install-script payloads to be more likely this week, and lean harder on the install-script defenses below.

High · GHSA · codeigniter4/framework (CVE-2026-48062, CVSS 9.8) ·added 18:00 ET

CodeIgniter4 ext_in upload rule checks the guessed MIME extension, not the filename — shell.php with GIF-like bytes passes validation (CVE-2026-48062, CVSS 9.8)

CodeIgniter4's `ext_in` upload-validation rule checked the MIME-derived guessed extension instead of the client-provided filename, so a file named `shell.php` carrying GIF-like content sails past a `mime_in[image/gif]|ext_in[gif]` rule and lands with its .php name intact. Any app that accepts user uploads, trusts ext_in, and stores files under a web-reachable PHP-executing path now has a webshell-upload chain — a near-textbook RCE in one of PHP's most common frameworks, which is why this rates CVSS 9.8. Upgrade to 4.7.2 and, until then, validate the client filename extension explicitly rather than relying on the MIME guess.

High · GHSA · pdm (CVE-2026-47764) ·added 18:00 ET

Second PDM flaw: a malicious wheel writes arbitrary files via path traversal in the overridden write_to_fs (CVE-2026-47764)

PDM's InstallDestination.write_to_fs() swapped the base class's validated path join for a bare os.path.join() to add sym/hardlink support, dropping the traversal check — so a crafted wheel with `../` entries writes arbitrary files anywhere the install process can reach. It is the same class as Poetry's CVE-2026-34591, and it lands the same day as the .pdm-plugins pre-parse execution bug above: two independent code-execution paths in one Python package manager this week. Upgrade past 2.22.4 and treat installing an untrusted wheel as arbitrary file write until you have.

High · GHSA · aws-advanced-go-wrapper (CVE-2026-11401, CVSS 8.0) ·added 18:00 ET

AWS Advanced Go Wrapper lets a low-privilege Aurora PostgreSQL user escalate to rds_superuser via a crafted function (CVE-2026-11401, CVSS 8.0)

AWS's own Advanced Go Wrapper for Aurora PostgreSQL lets a low-privilege authenticated database user craft a function that runs with another RDS user's permissions, escalating to the rds_superuser role. A privilege-escalation bug in a first-party AWS database driver is a trust-the-vendor-library problem: it ships in the awssql wrapper and a dozen sibling modules (iam, okta, federated-auth, secrets-manager), so the blast radius is every Go service fronting Aurora through it. Upgrade the awssql/v2 wrapper past 2.0.0 along with the sibling auth/driver modules, and audit Aurora PostgreSQL function-creation grants.

High · GHSA · devguard (CVE-2026-48089) ·added 18:00 ET

DevGuard lets any authenticated user — even from an unrelated org — create and delete VEX rules on public assets (CVE-2026-48089)

On a DevGuard instance with any public asset, any authenticated user — including someone from an unrelated org with no role in yours — can create, update, reapply, and delete VEX rules and other vulnerability-triage records on those assets. DevGuard is itself a supply-chain security / SBOM-triage tool, so a broken-authorization flaw here means an outsider can quietly mark your real vulnerabilities as "not affected" and blind your own remediation queue. Upgrade past 1.4.2 and review VEX/triage history on any public asset for unexpected writes.

High · GHSA · io.netty:netty-codec-haproxy (CVE-2026-48059) ·added 18:00 ET

Netty HAProxy v2 codec leaks pooled memory on every nested PP2_TYPE_SSL TLV, enabling remote memory exhaustion (CVE-2026-48059)

Netty's HAProxy PROXY-protocol-v2 codec leaks a pooled (often direct) buffer on every connection carrying a syntactically valid header with nested PP2_TYPE_SSL TLVs at depth two or greater — and because it leaks on the *successful* parse path, nothing throws and the leak stays invisible until the process runs out of memory. Anything terminating PROXY-protocol traffic through netty-codec-haproxy (load balancers, ingress front-ends) can be walked into OOM by a stream of crafted connections. It is the second Netty codec leak on today's page alongside RedisArrayAggregator; upgrade past 4.2.14.Final / 4.1.134.Final on the haproxy codec artifact.

High · GHSA · russh (CVE-2026-48110, CVSS 7.5) ·added 18:00 ET

Russh decodes attacker-controlled SSH fields into allocations before bounds-checking, enabling remote memory pressure (CVE-2026-48110, CVSS 7.5)

Several russh client and server handlers decoded attacker-controlled SSH strings, name-lists, and byte fields into owned allocations before applying field-specific bounds, so a remote peer can send oversized or high-fanout length-prefixed fields and force the library to allocate before it rejects them. russh underpins a growing set of Rust SSH servers and bastions, and a pre-auth allocation primitive is a clean remote DoS lever. It rhymes with the grpc-js and Netty codec bugs already on today's page — allocation- and parser-robustness flaws in the transport libraries everything quietly leans on. Upgrade to russh 0.61.0 or later.

Medium · Aikido / The Hacker News (2026-06-11) ·added 18:00 ET

npm v12 makes install scripts opt-in by default — GitHub closes the install-time execution path behind a year of npm supply-chain worms

GitHub announced that npm v12 turns lifecycle/install scripts off by default — the single change that closes the install-time code-execution path that Nx, the Red Hat campaign, and the self-propagating worms tracked on this watch all relied on. This is the defensive bright spot the page has been waiting for: npm's default-allow `postinstall` footgun finally flips to default-deny, the same direction the PDM and pip fixes above are pushing. It is a breaking change, so inventory which of your own dependencies genuinely need an install script and add an explicit allow-list before upgrading, rather than discovering the dependency at deploy time.

Context · The Hacker News (2026-06-11) ·added 18:00 ET

'The Gentlemen' ransomware claims 478 victims and adds worm-like self-spreading

New analysis of The Gentlemen operation — a financially motivated crew that began as a double-extortion affiliate — shows it now claims 478 victims and has bolted on worm-like lateral self-propagation. Not an open-source-registry story, but the worm capability is the same self-replication property that makes the Miasma framework above dangerous in the supply chain, and it is the second worm-spreading payload on today's page. Context for the threat landscape rather than a patch action.

12:00 ET · Forenoon Watch
Critical · GHSA · meta-ads-mcp (CVE-2026-48039, CVSS 9.1) ·added 12:00 ET

Meta Ads MCP server forwards unauthenticated HTTP requests to tool handlers and leaks the operator Meta access token (CVE-2026-48039, CVSS 9.1)

The pip-installed meta-ads-mcp server's AuthInjectionMiddleware.dispatch() forwards unauthenticated Streamable-HTTP requests straight to MCP tool handlers without a 401, and the handlers fall back to the META_ACCESS_TOKEN env var — then serialise the raw httpx request URL (token in the query string) into the JSON-RPC error body, handing the operator's token to any network-reachable caller. This is the recurring MCP-server failure mode: a tool surface that was meant to sit behind auth ships with the auth bypassed and the ambient credential one error-path away from exfiltration. Affected through ≤ 1.0.108 with no tagged patch yet — do not expose this server on any reachable interface, bind it to loopback, and rotate the Meta access token if it has ever listened on a routable address.

Critical · CISA KEV · BerriAI LiteLLM (added 2026-06-08) ·added 12:00 ET

CISA KEV adds BerriAI LiteLLM command injection — any authenticated user, including low-priv internal-user keys, runs arbitrary host commands (CVE-2026-42271)

CISA catalogued a command-injection (CWE-78) in LiteLLM, the open-source LLM proxy/gateway a lot of teams now front their model traffic with: any authenticated caller — including a low-privilege internal-user key — can execute arbitrary commands on the host. As a gateway it sits in the credential-rich middle of the AI stack, so a low-priv key turning into host RCE is a pivot straight into provider secrets and downstream services. Upgrade to v1.83.7-stable or later; KEV due date was 2026-06-08, so this is past-due for federal and should be treated as drop-everything anywhere LiteLLM is exposed to more than one trust tier.

Critical · CISA KEV · Nx Console (added 2026-05-27) ·added 12:00 ET

CISA KEV: Nx Console shipped embedded malicious code — compromised extension fetched an obfuscated credential-harvesting payload (CVE-2026-48027, ransomware-linked)

Still on the board: a malicious version of the Nx Console editor extension fetched an obfuscated payload that harvested credentials from disk and memory, now KEV-listed with known ransomware association. Same campaign shape as the TanStack npm publish below — a trusted developer-tooling identity used to push credential-stealers into engineers' own machines, which is the highest-leverage point in the chain. If anyone installed Nx Console in the compromise window, treat their tokens/SSH keys/cloud creds as burned and rotate; KEV due date 2026-06-10 has passed.

Critical · CISA KEV · TanStack (added 2026-05-27) ·added 12:00 ET

CISA KEV: malicious TanStack versions published to npm under the project's trusted identity to ship credential-stealing malware (CVE-2026-45321, ransomware-linked)

Malicious TanStack releases were pushed to npm under the project's own trusted publisher identity, carrying credential-stealing malware — KEV-listed with known ransomware use. The TanStack family (Router/Query/Table) is a transitive dependency of a huge slice of React apps, so a poisoned version propagates through lockfiles far past anyone who deliberately installed it. Pin to known-good versions, diff your lockfile against the disclosed bad releases, and rotate any credentials present on machines that ran an install during the window.

Critical · CISA KEV · Check Point Security Gateway (added 2026-06-08) ·added 12:00 ET

CISA KEV: Check Point Security Gateway IKEv1 auth bypass lets unauthenticated attackers establish a remote-access VPN without a password (CVE-2026-50751, ransomware-known)

CISA catalogued an improper-authentication flaw in Check Point's deprecated IKEv1 key exchange that lets an unauthenticated remote attacker bring up a remote-access VPN session with no valid user password — already tied to known ransomware operators. A perimeter VPN that authenticates attackers is initial access by design, and the deprecated-protocol path means many gateways still have it enabled without realising. Apply Check Point's hotfix per sk185033 and disable IKEv1 if you don't need it; KEV due date 2026-06-11 is today.

High · GHSA · @openzeppelin/wizard (CVE-2026-48054, CVSS 8.8) ·added 12:00 ET

OpenZeppelin Contracts Wizard injects code into generated Hardhat/Foundry tests via unsanitised opts.name / opts.uri (CVE-2026-48054, CVSS 8.8)

The @openzeppelin/wizard code generator interpolates opts.name and opts.uri into the Hardhat and Foundry test files it emits without sanitisation, so a crafted contract name/URI becomes executable code the moment a developer runs the generated test suite. This is a codegen-as-supply-chain bug: the malicious input rides in as innocuous-looking project metadata and detonates inside the trusted build/test step. Upgrade past 0.10.8 and, if you generate scaffolding from any externally-supplied name or URI, audit emitted test files before running them.

High · GHSA · traefik v2 (CVE-2026-48020) ·added 12:00 ET

Traefik StripPrefix route-level auth bypass via path normalization (CVE-2026-48020)

Traefik's StripPrefix middleware normalises the path in a way that lets a crafted request slip past route-level authentication that was scoped by path prefix — an attacker reaches a protected backend route the auth middleware thought it was guarding. Path-normalisation-vs-auth ordering bugs are a perennial reverse-proxy footgun and Traefik fronts a lot of internal services, so the blast radius is whatever you assumed the prefix-scoped auth was protecting. Upgrade to 2.11.48 (v2 line) or later and review any route whose authz depends on StripPrefix.

High · GHSA · pdm (CVE-2026-47781) ·added 12:00 ET

PDM executes project-controlled .pdm-plugins content before CLI argument parsing (CVE-2026-47781)

PDM loads and runs code from a project-local .pdm-plugins directory before it even parses the CLI arguments, so simply running any pdm command inside a checked-out repo executes whatever that repo shipped — no install, no flag, no opt-in. This is the same shape as the npm install-script problem the ecosystem is busy closing this week: a package manager running untrusted project content as a side effect of normal use. Upgrade past 2.26.9 and treat cloning-then-running-pdm in an untrusted repo as code execution until you have.

High · GHSA · @grpc/grpc-js (CVE-2026-48068 / -48069, CVSS 7.5) ·added 12:00 ET

@grpc/grpc-js: malformed request and malformed compressed message each crash client or server (CVE-2026-48068, CVE-2026-48069, CVSS 7.5)

Two parser-level DoS bugs in @grpc/grpc-js: a malformed request crashes the server, and an incoming malformed compressed message crashes either side of the connection. No RCE, but grpc-js is the default Node gRPC transport under a large amount of service-to-service traffic, so a single crafted frame becomes a remote kill switch for any exposed endpoint. Bump to 1.9.16 or later across both client and server fleets — it's a fast patch and the kind of dependency that's everywhere once you grep for it.

High · CISA KEV · Google Chromium V8 (added 2026-06-09) ·added 12:00 ET

CISA KEV: Chromium V8 out-of-bounds read/write enables in-sandbox RCE via a crafted page — affects Chrome, Edge, Opera and other Chromium browsers (CVE-2026-11645)

CISA catalogued an exploited V8 out-of-bounds read/write that lets a crafted HTML page run arbitrary code inside the renderer sandbox, hitting every Chromium-based browser (Chrome, Edge, Opera, and the rest). Not a package-registry story, but it's the endpoint that engineers use to reach npm, GitHub, and your cloud consoles, so an exploited browser bug is a credible front door to developer credentials. Push the Chrome/Edge stable update through fleet management now; KEV due date is 2026-06-23.

Medium · GHSA · litestar (CVE-2026-48060, CVSS 8.1) ·added 12:00 ET

Litestar reflects its CSRF token unsanitised, allowing HTML injection (CVE-2026-48060, CVSS 8.1)

Litestar emits its CSRF token into responses without escaping, so an attacker-influenced token value yields HTML/script injection in the rendered page. The high CVSS reflects the XSS-class impact, but exploitation needs a path to control the token, so it's worth patching deliberately rather than in a panic. Upgrade to 2.22.0 or later.

Medium · GHSA · io.netty:netty-codec-redis (CVE-2026-48006) ·added 12:00 ET

Netty RedisArrayAggregator leaks pooled ByteBufs through missing lifecycle cleanup (CVE-2026-48006)

Netty's RedisArrayAggregator fails to release pooled ByteBufs on certain paths, so a service decoding Redis protocol traffic through netty-codec-redis slowly leaks direct memory until it falls over — a gradual DoS rather than a crash. Relevant if you terminate or proxy RESP with Netty; upgrade past 4.2.14.Final on the codec-redis artifact. Of a piece with the grpc-js crashes above: parser/codec robustness bugs in the libraries everything quietly depends on.

Context · The Hacker News (2026-06-11) ·added 12:00 ET

OceanLotus (APT32) hits Vietnamese targets with SPECTRALVIPER backdoor, including a supply-chain delivery leg in the FireAnt campaign

The Vietnam-aligned actor OceanLotus is tied to two campaigns dropping the SPECTRALVIPER backdoor, one of which used a supply-chain attack as the delivery vector against domestic targets. Not an open-source-registry incident, but it's another state-aligned crew reaching for supply-chain delivery as the way in — the pattern this watch keeps flagging. Useful as threat-landscape context rather than an action item.

Context · The Hacker News · ThreatsDay (2026-06-11) ·added 12:00 ET

THN ThreatsDay roundup: a supply-chain attack kit published to a public repo, a browser-cloning RAT, and research showing AI agents can be phished into leaking real credentials

This week's THN bulletin bundles several threads this watch is tracking: a ready-made supply-chain attack kit sitting in a public repo, a subscription RAT that clones browser profiles, and research demonstrating AI agents tricked into leaking live credentials. The throughline is commoditisation — attack tooling that used to take skill now ships as polished, rentable kits. Skim it for the links; nothing here is an immediate patch, but the AI-agent credential-leak research rhymes directly with the Meta Ads MCP token leak at the top of today's page.

06:00 ET · Morning Watch
High · Rapid7 / BleepingComputer · Gogs 0.14.3 (2026-06-07) ·added 06:00 ET

Gogs argument-injection RCE: malicious branch name injects --exec into git rebase during PR merge (CVE-2026-52806, CVSSv4 9.4)

Rapid7 disclosed an argument-injection RCE (CWE-88) in Gogs, the self-hosted open-source Git service: a pull request whose source branch name smuggles a --exec flag into the `git rebase` invoked by the "Rebase before merging" path runs arbitrary commands on the server (CVE-2026-52806, CVSSv4 9.4). Because Gogs ships open registration and no repo-creation limit by default, the "authenticated" requirement is effectively self-service — an attacker registers, creates one repo, and owns the host that fronts your source of truth, which is a supply-chain-root compromise rather than a single-app bug. Upgrade to Gogs 0.14.3 (released 2026-06-07); if you can't patch immediately set DISABLE_REGISTRATION=true to cut off untrusted account creation, and audit recent branch names / merge activity for `--exec` or other dashed payloads.