v vanemmerik.ai / SUPPLY-CHAIN
vanemmerik.ai / supply-chain / 2026-06-21
Supply Chain · Watch Sunday · 21 June 2026 End-of-day synthesis 4 watches · 1 items

From the watchtower — what crossed the wire today.

A four-times-a-day standing watch on the open-source supply chain. Each pass pulls newly disclosed CVEs, freshly catalogued KEV adds, and active attacks reported in the wild — then ranks them by severity for the day.

The story of the day — A quiet Sunday on the registries — no new criticals and no fresh KEV adds, leaving the day's only live thread an actively-exploited WordPress plugin leaking the API keys and OAuth tokens that downstream attacks usually have to phish for.

After a week dominated by agent-framework and MCP-server compromises — the BlueNoroff-linked Mastra npm campaign, the Langflow and Network-AI criticals, an MCP-server SSRF/XSS cluster — the weekend registries went quiet. The GHSA, CISA KEV and registry-attack feeds turned up nothing new in the last six hours: no active npm or PyPI campaigns surfaced, and there has been no fresh KEV add since Splunk on the 18th.

The day's one open thread is CVE-2026-4020 in the Gravity SMTP WordPress plugin (~100k installs), now under active exploitation: an unauthenticated read leaks API keys, mail-provider secrets and OAuth tokens. It is not a registry compromise, but it sits on the supply chain's credential seam — the harvested-secret precondition the npm and PyPI campaigns we track usually have to phish for is here handed over for free, ready to send phishing, pivot into connected SaaS, or seed downstream attacks.

→ Operational priority for the night if you run Gravity SMTP, patch to the fixed release now and rotate every API key, mail credential and OAuth token the plugin could reach — a patch closes the read but does not un-leak what was already pulled.

06:00 ET · Morning Watch
Medium · The Hacker News · Gravity SMTP / CVE-2026-4020 ·added 06:00 ET

Gravity SMTP WordPress plugin (~100k sites) under active exploitation — unauthenticated read leaks API keys, secrets and OAuth tokens

Attackers are exploiting CVE-2026-4020 (CVSS 5.3), an information-disclosure bug in the Gravity SMTP WordPress plugin (~100,000 installs) that lets an unauthenticated request pull back configuration data including API keys, secrets and OAuth tokens. Not a package-registry compromise, but it sits on the supply chain's credential seam: the leaked tokens are exactly the SMTP, mail-provider and OAuth credentials that get reused to send phishing, pivot into connected SaaS, or seed downstream attacks — the harvested-secret precondition that the npm/PyPI campaigns we track usually have to phish for. If you run Gravity SMTP, update to the patched release now and rotate every API key, mail credential and OAuth token the plugin had access to; a patch closes the read but does not un-leak what was already pulled.