v vanemmerik.ai / SUPPLY-CHAIN
vanemmerik.ai / supply-chain / 2026-06-15
Supply Chain · Watch Monday · 15 June 2026 End-of-day synthesis 4 watches · 10 items

From the watchtower — what crossed the wire today.

A four-times-a-day standing watch on the open-source supply chain. Each pass pulls newly disclosed CVEs, freshly catalogued KEV adds, and active attacks reported in the wild — then ranks them by severity for the day.

The story of the day — A live CDN supply-chain attack on three widely-deployed WordPress plugins headlines a day of dev-tooling RCE and fresh CISA KEV adds.

The day's main thread is a real, in-progress supply-chain compromise. BleepingComputer confirmed that the trusted JavaScript Icegram serves for OptinMonster, PushEngage, and TrustPulse was tampered at the CDN, so every WordPress site embedding those scripts served attacker code without a single file changing on its own server.

The payload is deliberately quiet — it only fires for a logged-in administrator, minting a rogue admin and dropping a hidden plugin for persistence, so ordinary visitor telemetry stays clean. Around it, the developer toolchain took hits of its own: Vitest Browser Mode (CVE-2026-53633, CVSS 9.8) leaks raw Chrome DevTools Protocol past its own allowWrite/allowExec guards to overwrite vite.config and reach RCE in the test runner, and aws-cdk-lib's NodejsFunction bundler (CVE-2026-11417) turns attacker-controlled bundling options into command execution on the CDK host. CISA added two more to the KEV catalog — a LiteSpeed cPanel symlink-following bug for shared-hosting tenant escape and a Cisco Catalyst SD-WAN Manager path-traversal write that puts an entire WAN control plane in reach. The bright spot is that nearly every other item is a clean coordinated disclosure with a fix already shipped — protobufjs-cli, PyJWT, and Electron all land as version-bump-and-move-on.

→ Operational priority for the night if you run OptinMonster, PushEngage, or TrustPulse, pull the plugins and hunt for unknown admin accounts before you sleep — then bump aws-cdk-lib to 2.246.0 and @vitest/browser to a fixed build before tomorrow's CI runs.

18:00 ET · First Watch
Critical · CISA KEV · LiteSpeed cPanel Plugin (CVE-2026-54420) ·added 18:00 ET

CISA adds LiteSpeed cPanel plugin symlink-following flaw to KEV — local file overwrite on shared CloudLinux/CageFS hosts

CISA catalogued CVE-2026-54420 today: a UNIX symlink-following bug in the LiteSpeed cPanel plugin lets a user who already has FTP or web-shell access on a shared CloudLinux/CageFS host follow symlinks across the CageFS boundary to read or overwrite files outside their jail. On dense shared-hosting fleets this is a tenant-to-host escalation primitive — one compromised low-privilege account becomes a lever against neighbouring sites and the management plane. Federal due date is June 18; if you run LiteSpeed under cPanel, apply the vendor fix now and treat any host with unexplained FTP/web-shell activity as already suspect.

Critical · CISA KEV · Cisco Catalyst SD-WAN Manager (CVE-2026-20262) ·added 18:00 ET

CISA adds Cisco Catalyst SD-WAN Manager path-traversal flaw to KEV — authenticated arbitrary file write on the WAN control plane

Also catalogued today: CVE-2026-20262, a directory/path-traversal bug in Cisco Catalyst SD-WAN Manager (vManage) that lets an authenticated remote attacker create or overwrite any file on the appliance filesystem. Arbitrary file write on the box that orchestrates an entire SD-WAN fabric is a straight path to code execution and to pushing tampered config across every managed edge — the blast radius is the whole WAN, not one node. Federal due date is June 29; restrict vManage admin access to trusted networks, rotate any credentials that could reach it, and patch to the fixed train.

Critical · GHSA · @vitest/browser (npm) — CVE-2026-53633, CVSS 9.8 ·added 18:00 ET

Vitest Browser Mode exposes raw CDP over its WebSocket RPC — bypasses allowWrite/allowExec to overwrite vite.config and hit RCE (CVE-2026-53633)

Vitest Browser Mode exposes a `cdp()` API that forwards raw Chrome DevTools Protocol calls over the Vitest browser WebSocket RPC, and CDP is not gated by `browser.api.allowWrite` / `allowExec` — so the very switches you'd flip to lock the test browser down don't cover this path. Researchers verified that with both flags false, `Page.setDownloadBehavior` plus `Runtime.evaluate` wrote a controlled `vite.config.ts` into the project root, Vitest reloaded it, and attacker code executed in the runner (CWE-749/CWE-862, CVSS 9.8). That's RCE on any CI job or dev machine whose Vitest browser WebSocket is reachable by untrusted input — upgrade `@vitest/browser` to a fixed 3.x/4.x/5.x build (and `vite-plus` past 0.1.23), and never expose the browser-mode port beyond localhost.

High · GHSA · aws-cdk-lib (npm) — CVE-2026-11417, CVSS 7.3 ·added 18:00 ET

aws-cdk-lib NodejsFunction local bundling: attacker-controlled bundling props inject OS commands on the CDK host (CVE-2026-11417)

OS command injection in the `NodejsFunction` local-bundling pipeline of `aws-cdk-lib` before 2.245.0 (2.246.0 on Windows): whoever controls `externalModules`, `define`, `loader`, `inject`, or `esbuildArgs` can run arbitrary commands on the machine driving `cdk synth`. The dangerous shape is a CDK construct that derives any of those values from external input — a config file, a monorepo package field, a generated manifest — turning an infra-as-code build into code execution on your CI runner or laptop. Bump `aws-cdk-lib` to 2.246.0+ and audit any NodejsFunction whose bundling options aren't statically literal.

High · GHSA · protobufjs-cli (npm) — CVE-2026-54271, CVSS 8.2 ·added 18:00 ET

protobufjs-cli pbjs static codegen still emits unsafe JS from crafted JSON descriptor names — incomplete fix for CVE-2026-44295 (CVE-2026-54271)

The earlier patch for unsafe name handling in `pbjs` static/static-module code generation was incomplete: `protobufjs-cli` (<=1.3.1, and 2.0.0–2.4.2) can still emit unsafe JavaScript references when generating static output from crafted pre-parsed JSON descriptors, bypassing CVE-2026-44295. If your build feeds attacker-influenced JSON descriptors into `pbjs` static codegen, the generated module is a code-injection vector baked into your shipped artifact; parsing plain `.proto` files is not affected. Upgrade past 2.4.2, and prefer `.proto` source over untrusted JSON descriptors in any codegen step.

High · GHSA · electron (npm) — CVE-2026-54257 ·added 18:00 ET

Electron Buffer byte-length miscalculation causes heap under/overflow — crashes, and possible mis-sized allocations (CVE-2026-54257)

Electron 42.3.1–42.3.2 miscalculates byte lengths in the Node.js `Buffer` API, producing heap under/overflow (CWE-120); GitHub flags it critical, though the maintainers describe the practical impact as most apps crashing with some performing incorrect truncation or allocation. There's no workaround — the advisory says simply don't ship the affected releases — so for any Electron app the fix is a version bump, not a config change. Upgrade to 42.3.3.

High · GHSA · pyjwt (PyPI) — CVE-2026-48526, CVSS 7.4 ·added 18:00 ET

PyJWT accepts an asymmetric public-key JWK as an HMAC secret — forge HS256 tokens when a verifier mixes algorithm families (CVE-2026-48526)

The classic RS256/HS256 confusion resurfaces in PyJWT before 2.13.0: when a verifier is configured with both asymmetric and HMAC algorithms and passed a raw-JSON JWK as the key, the library doesn't reject using the issuer's public key as the HMAC secret — so an attacker who knows that public key can mint forged HS256 tokens that validate. Exploitation needs the verifier in a non-standard, mixed-family config (hence high attack complexity), but the payoff is total auth bypass on whatever the JWT gates. Upgrade to PyJWT 2.13.0+ and pin verifiers to a single explicit algorithm rather than a mixed `algorithms=[...]` list.

12:00 ET · Forenoon Watch
Critical · BleepingComputer + The Hacker News · OptinMonster / PushEngage / TrustPulse (Icegram) CDN supply-chain attack · 2026-06-15 ·added 12:00 ET

Trusted JS in PushEngage / OptinMonster / TrustPulse tampered to mint rogue admins and drop a hidden plugin when an admin loads the page

BleepingComputer now confirms this as an active CDN supply-chain attack: the trusted JavaScript that OptinMonster, PushEngage, and TrustPulse (all Icegram-family plugins) pull from their vendor CDN was tampered at the source, so any WordPress site embedding those scripts served attacker code without changing a byte on its own server. The payload only fires for a logged-in administrator — it silently mints a rogue admin account and drops a hidden plugin for persistence — which is why visitor-side telemetry stays clean and the compromise can sit unnoticed. This is a live, in-the-wild registry-adjacent compromise hitting real sites today: audit any site running these plugins for unknown administrator accounts and unexpected installed plugins, diff the served script against the vendor's known-good hash, and pull the plugins until a verified-clean release ships.

High · GHSA · @angular/core (npm) ·added 12:00 ET

Angular SSR hydration DOM-clobbering poisons the HTTP transfer cache: forged ng-state lets HttpClient serve spoofed API responses (CVE-2026-54267)

A DOM-clobbering flaw in Angular's SSR client hydration (`@angular/core`) lets attacker-controlled markup carrying `id="ng-state"` win the `document.getElementById('ng-state')` lookup, so a forged `TransferState` payload poisons the HTTP transfer cache and `HttpClient` returns spoofed API responses before ever reaching the backend (CWE-79/CWE-471). The blast radius tracks how the app renders those responses — DOM-based XSS through unsafe bindings, privilege escalation by spoofing session/user payloads, or UI hijack via spoofed config endpoints — and it reaches any hydrated app that binds untrusted input or CMS content to an element `id`. Upgrade `@angular/core` to 22.0.1 / 21.2.17 / 20.3.25; 19.x has no fixed build listed, so sanitize or static-prefix any dynamic `[id]` bindings until you can move off it.

Context · The Hacker News · One-Click Microsoft 365 Copilot Flaw Could Have Let Attackers Steal Emails, Files, and MFA Codes · 2026-06-15 ·added 12:00 ET

Varonis 'SearchLeak': one click on a real microsoft.com link exfiltrated mail, files, and MFA codes from M365 Copilot Enterprise Search

Varonis Threat Labs chained three bugs into 'SearchLeak,' a one-click path that pulls emails, calendar data, indexed files, and MFA codes out of Microsoft 365 Copilot Enterprise Search through a link on a genuine microsoft.com domain — which sidesteps URL-filtering and anti-phishing defenses. Not an OSS supply-chain incident and already fixed server-side by Microsoft, but it rhymes with this watch's running theme: an AI assistant wired into the whole document and identity graph becomes a single high-value exfiltration surface. No reader action beyond awareness — the fix shipped in Microsoft's cloud.