Supply Chain · Watch Monday · 22 June 2026 End-of-day synthesis 4 watches · 8 items

From the watchtower — what crossed the wire today.

A four-times-a-day standing watch on the open-source supply chain. Each pass pulls newly disclosed CVEs, freshly catalogued KEV adds, and active attacks reported in the wild — then ranks them by severity for the day.

The story of the day — The trusted update channel was the attack: ShapedPlugin shipped a CVSS-10 backdoor through official Pro-plugin releases for a month — and the evening brought a late wave of forge and npm-library disclosures, capped by a fresh SCIM prototype-pollution critical.

The quiet stretch ended this evening. Wordfence disclosed that ShapedPlugin's automated build pipeline was breached around May 21 and spent roughly a month pushing backdoored releases of three paid plugins — Product Slider Pro for WooCommerce, Real Testimonials Pro, and Smart Post Show Pro — through the same licensed update channel customers trust for their security fixes. The payload is a full site-takeover kit — persistent admin access, stolen credentials and 2FA secrets, a bundled file manager, Adminer, a web shell, and a REST API backdoor — and CVE-2026-49777 carries a CVSS of 10.0.

It rhymes directly with this morning's OXLOADER/CastleStealer malvertising campaign: infostealers harvest the developer and vendor credentials, and pipeline compromises like this one are where those credentials get spent. The same day landed three developer-toolchain RCEs that share the shape — mise runs arbitrary commands from an untrusted .tool-versions file the moment you cd into a repo (CVSS 9.6, trust bypass), Spinnaker deserializes unsafe YAML to RCE during CloudFormation and CloudFoundry bakes (8.5), and ComfyUI-Manager exposes its config over unauthenticated web APIs (7.5). The bright spot remains the catch itself: Wordfence flagged ShapedPlugin from activity reported June 11, and the free WordPress.org builds of all three plugins were never touched.

Late escalation after 18:00 ET: GitHub published a second wave of disclosures that keeps the day on the toolchain. A fresh critical hit the npm scim-patch library — a single SCIM PATCH with a __proto__ key pollutes Object.prototype process-wide (CVSS 9.1), turning any IdP-integrated provisioning endpoint into a one-request gadget. Alongside it, a coordinated five-CVE cluster against the Gogs self-hosted forge includes a one-click CSRF that adds an attacker to an org's Owners team (8.8), and a seven-CVE Budibase batch lets anonymous callers mint S3 presigned-PUT URLs with stored datasource IAM credentials. Forge takeover and unauthenticated cloud-credential abuse are both upstream of the artifacts you ship.

→ Operational priority for the night if you run any ShapedPlugin Pro plugin, update to Product Slider Pro 3.5.4+, Smart Post Show Pro 4.0.2+, and the patched Real Testimonials Pro build, then rotate every admin password and 2FA secret and audit for rogue admin accounts and altered SMTP creds before bed. Then sweep the toolchain: upgrade mise past 2026.3.10, Gogs to 0.14.3, and @budibase/server to 3.39.9+, and if any service runs scim-patch ≤ 0.9.0 over external SCIM input, pin it off and reject __proto__/constructor keys until a fixed release ships.

21:00 ET · Last Watch

Critical · GHSA · scim-patch (npm) · CVE-2026-48170 ·added 21:00 ET

scim-patch prototype pollution via unfiltered proto keys in SCIM PATCH (CVSS 9.1)

The npm package scim-patch (≤ 0.9.0) applies a SCIM PATCH operation whose value object contains a key like "__proto__.someProp" without filtering, polluting Object.prototype process-wide after a single request (CVE-2026-48170, CVSS 9.1). Any service that runs scimPatch() over attacker-controlled JSON — i.e. the SCIM provisioning endpoint of an IdP-integrated app — is a one-request gadget for cross-tenant pollution and downstream RCE, and it sits squarely in the identity-provisioning dependency path. No fixed release is listed yet: pin off ≤ 0.9.0, reject inbound keys containing __proto__/constructor/prototype, and audit any SCIM handler that feeds request bodies straight into the patcher.

High · GHSA · gogs (go) · CVE-2026-52800 +4 ·added 21:00 ET

Gogs self-hosted forge — coordinated cluster: CSRF org-owner takeover, stored XSS, missing authz, mirror-import

A coordinated five-CVE disclosure landed against the Gogs self-hosted Git forge (≤ 0.14.2): team management runs over unprotected GET requests, so a single crafted link visited by a logged-in org owner silently adds an attacker to the Owners team (CVE-2026-52800, CSRF → org takeover, 8.8); .ipynb previews re-render client-side through marked() without sanitization, regenerating javascript: links into stored XSS (CVE-2026-52798, 8.9); Mirror Settings bypass the hardened migration path to import local repositories (CVE-2026-52801, 8.1); and GET /attachments/:uuid serves files with no permission check (CVE-2026-52799, 7.5), alongside a webhook SSRF redirect bypass. A forge where one click hands an attacker the Owners team is upstream supply-chain risk — own the org, poison the repos. Upgrade to Gogs 0.14.3.

High · GHSA · @budibase/server (npm) · CVE-2026-54352 +6 ·added 21:00 ET

Budibase low-code platform — cluster: builder symlink file-read (critical) + unauthenticated S3 presigned-PUT minting

Budibase shipped a seven-CVE batch against @budibase/server, two of which are supply-chain-shaped: POST /api/pwa/process-zip extracts a builder-uploaded zip and follows icons.json symlinks to stream arbitrary host files back out (CVE-2026-54352, CVSS 9.6, builder-auth), and two routes — POST /api/attachments/:datasourceId/url and the PWA presign path — are gated only by recaptcha, letting an anonymous caller who knows a workspace ID mint S3 PutObject presigned URLs with the datasource's stored IAM credentials and write arbitrary objects (CVE-2026-50136 / -50137). Unauthenticated abuse of stored cloud credentials on a build-and-deploy platform is exactly the seam that turns an internal-tools box into a write primitive against your S3. Upgrade @budibase/server to 3.39.9+.

18:00 ET · First Watch

Critical · Wordfence / The Hacker News · ShapedPlugin · CVE-2026-49777 ·added 18:00 ET

ShapedPlugin build pipeline compromised — backdoored Pro plugins shipped through official update channel for a month

Wordfence disclosed that ShapedPlugin's automated build-and-distribution pipeline was breached around May 21 and spent roughly a month pushing backdoored releases of three paid plugins — Product Slider Pro for WooCommerce, Real Testimonials Pro, and Smart Post Show Pro — through the same licensed update channel customers trust for security fixes (CVE-2026-49777, CVSS 10.0). The payload is a full site-takeover kit: persistent admin access, harvested credentials and 2FA secrets, a bundled Tiny File Manager and Adminer, a web shell, a REST API backdoor, and a login bypass — the worst-case shape, because the dropper *is* the trusted auto-update. Update to Product Slider Pro 3.5.4+, Smart Post Show Pro 4.0.2+, and the patched Real Testimonials Pro build; then rotate every admin password and 2FA secret, audit for rogue admin accounts, and check mail-plugin SMTP credentials for tampering. Free .org versions were never touched.

Critical · GHSA · mise (rust) · CVE-2026-33646 ·added 18:00 ET

Mise executes arbitrary commands from an untrusted .tool-versions file on cd (trust bypass)

Mise renders `.tool-versions` files through the Tera template engine with `exec()` registered, and — unlike `.mise.toml` — `.tool-versions` is *not* subject to trust verification in non-paranoid mode (CVE-2026-33646, CVSS 9.6). A malicious file checked into any repo runs arbitrary commands the moment a mise-activated developer `cd`s into the directory: no prompt, no clone-time warning. This is the classic repo-supplied-config-as-RCE shape, and it lives on dev laptops and CI runners that auto-activate version managers. Upgrade to mise 2026.3.10 or later tonight; until then, run paranoid mode or grep your repos' `.tool-versions` for template syntax (`{{`, `{%`).

High · GHSA · spinnaker (maven) · CVE-2026-44795 ·added 18:00 ET

Spinnaker unsafe YAML deserialization yields RCE during CloudFormation / CloudFoundry bakes

Spinnaker's rosco/orca cores use a non-safe YAML constructor that bypasses safe deserialization, allowing arbitrary Java class loading and RCE during CloudFormation deployments and CloudFoundry baking (CVE-2026-44795). A CD control plane that can be driven to RCE through pipeline input is a high-value pivot into everything it deploys. Patch to 2025.3.3 / 2025.4.4 / 2026.0.3, or disable the CloudFormation and CloudFoundry paths as a stopgap.

High · GHSA · comfyui-manager (pip) · CVE-2025-67303 ·added 18:00 ET

ComfyUI-Manager exposes its config over unauthenticated web APIs (unprotected alternate channel)

ComfyUI-Manager before 3.38 stored config under `user/default/ComfyUI-Manager/`, reachable through ComfyUI's web APIs with no access control (CWE-420, CVE-2025-67303). Remote attackers can read and tamper with manager settings — the install/update surface for the node ecosystem — turning an exposed ComfyUI box into a foothold for poisoned custom nodes. Anyone running ComfyUI reachable beyond localhost should upgrade to 3.38+ and keep the UI off the open internet.

12:00 ET · Forenoon Watch

Context · The Hacker News · OXLOADER / CastleStealer ·added 12:00 ET

New OXLOADER loader spreads CastleStealer via malicious Google Ads

Elastic Security Labs disclosed OXLOADER, a previously-unreported malware loader pushed through malicious Google Ads that drops the CastleStealer infostealer; the operators look Russian-speaking and financially motivated. Not a registry attack — but infostealer campaigns like this are the upstream of the supply chain we track: harvested developer tokens, npm/PyPI session cookies and cloud credentials are exactly the precondition the package-compromise campaigns need, and malvertising loaders are an increasingly common way to collect them. No registry action; logged as context on the credential-harvest seam, worth watching if CastleStealer telemetry starts surfacing dev-tool or CI credential theft.