v vanemmerik.ai / SUPPLY-CHAIN
Supply Chain · Watch Tuesday · 23 June 2026 End-of-day synthesis 4 watches · 14 items

From the watchtower — what crossed the wire today.

A four-times-a-day standing watch on the open-source supply chain. Each pass pulls newly disclosed CVEs, freshly catalogued KEV adds, and active attacks reported in the wild — then ranks them by severity for the day.

The story of the day — Identity infrastructure took the brunt — pre-auth RCE in OpenDJ, pre-auth XSS and LDAP injection in OpenAM, and LastPass breached through stolen OAuth tokens — while npm typosquats dropped a Windows RAT, CISA logged four exploited appliance flaws, and a late Snipe-IT disclosure batch added a cross-tenant data injection after the bell.

The open-source identity stack was the day's soft underbelly. OpenDJ's JMX/RMI connector deserializes attacker-controlled objects before authentication for a clean pre-auth RCE on the directory server (CVE-2026-46495), and OpenAM shipped a pre-auth reflected XSS in its OAuth2 form_post response plus an LDAP injection — flaws that sit under the auth path for everything that binds against them.

The blast-radius story closed the loop: LastPass confirmed attackers reached its Salesforce data using OAuth tokens stolen in the Klue supply-chain breach, proving again that a token granted to a vendor is a perimeter you don't control. Around the edges, three npm packages typosquatting PostCSS tooling delivered a Windows RAT, the skillctl agent-skill installer shipped five package-handling flaws, and CISA added four exploited appliance bugs to KEV — three in Ubiquiti UniFi OS and a root command-injection in the Lantronix EDS5000. The one bright spot is defensive: GitHub hardened actions/checkout to blunt the pwn-request pattern that has leaked CI secrets for years.

Late escalation at 21:00 ET: Snipe-IT published a coordinated batch of roughly eleven advisories, led by a cross-tenant accessory injection (CVE-2026-54329, CVSS 8.5) and a bulk user-edit privilege escalation (CVE-2026-48507) — a wall-between-tenants failure for anyone running it multi-tenant — and OpenTofu disclosed a provider-cache install that follows root-module-controlled symlinks to write outside the working tree, the same IaC-supply-chain shape the watch keeps seeing.

→ Operational priority for the night patch your identity tier first — OpenDJ to 5.1.1 and OpenAM to 16.1.1, or firewall the JMX/RMI port — then inventory and revoke third-party OAuth grants into Salesforce and other SaaS tenants before assuming Klue didn't touch you; if you self-host Snipe-IT, upgrade past 8.6.1 in the same window.

21:00 ET · Last Watch

Snipe-IT ships a coordinated batch of ~11 advisories — cross-tenant injection and bulk-edit privilege escalation lead

Snipe-IT, the widely self-hosted IT asset manager, published a coordinated batch of roughly eleven advisories late in the evening, led by a cross-tenant accessory injection where a low-privileged user in one company writes records into another (CVE-2026-54329, CVSS 8.5) and a bulk user-edit that lets an operator flip `ldap_import` and `activated_in` to escalate accounts (CVE-2026-48507, 7.1). The cluster is almost entirely tenancy- and authorization-boundary failures — multi-tenancy bypass via bulk asset update, CSV-import account escalation, a 2FA-reset bypass, brute-forceable TOTP, IDOR file deletion — the shape you get when one product is audited end-to-end, and on a shared Snipe-IT instance any one of them collapses the wall between orgs. Upgrade past 8.6.1 to the patched release tonight; if you run it multi-tenant, treat cross-company data as potentially already mixed until you can audit.

OpenTofu provider-cache install follows root-module-controlled symlinks to write outside the working tree

OpenTofu's provider cache installation follows a package-directory symlink that the root module can control, letting a malicious or compromised module redirect provider files to write outside the working tree (GHSA-wcmj-x466-56mm, CVSS 6.1, fixed in 1.11.7 and 1.10.10). This is the IaC-supply-chain shape the watch keeps flagging — the tool that fetches and installs your providers is itself manipulable by the config it's installing, turning a shared or third-party module into a filesystem write primitive on the runner. Upgrade OpenTofu to 1.11.7 (or 1.10.10 on the 1.10 line) and keep `tofu init` off modules you don't control.

18:00 ET · First Watch

CISA adds three exploited Ubiquiti UniFi OS flaws — command injection, path traversal, access-control bypass

CISA added three Ubiquiti UniFi OS vulnerabilities to KEV in a single batch — command injection via improper input validation (CVE-2026-34910), path traversal to read files that yield an underlying account (CVE-2026-34909), and an improper access-control flaw allowing unauthorized system changes (CVE-2026-34908) — all reachable by an actor with network access to the controller. UniFi OS fronts the management plane for switches, gateways, and APs across a vast SMB and home-lab footprint, and chaining the path traversal into the command injection is a clean path from network foothold to controller root. Update UniFi OS to the fixed release and keep controller UIs off untrusted networks; KEV listing means these are being exploited now.

CISA adds exploited Lantronix EDS5000 OS-command-injection (root) to KEV

CISA catalogued CVE-2025-67038: the Lantronix EDS5000 serial-to-Ethernet device server injects OS commands through its login username parameter and executes them as root (CWE-78/94). These device servers bridge legacy serial gear onto IP networks and are routinely parked on management VLANs or exposed to the internet, so an unauthenticated root shell on one is a pivot straight into OT and industrial segments. Patch per Lantronix guidance or pull the device off any reachable interface tonight — a KEV add means it is already being exploited.

New macOS ClickFix campaign social-engineers Terminal commands to silently mount a DMG and launch an infostealer

A new macOS ClickFix campaign tricks users into pasting Terminal commands that silently download, mount, and launch an info-stealer from a malicious disk image. It is not a registry attack, but it rhymes with this watch's recurring theme: the developer's own machine is the soft entry point, and a stealer on a dev box harvests the npm, cloud, and git credentials that become tomorrow's package-poisoning campaign. Remind engineers that 'paste this into Terminal to fix it' is the macOS twin of curl-pipe-bash from a stranger, and hunt for unexpected DMG mounts across dev fleets.

12:00 ET · Forenoon Watch

LastPass confirms Salesforce data breach traced to OAuth tokens stolen in the Klue supply-chain attack

LastPass confirmed attackers reached customer data in its Salesforce environment using OAuth tokens stolen from Klue, a competitive-intelligence SaaS vendor compromised earlier this month. This is the third-party-OAuth-token blast-radius shape: a breach at a vendor you granted a connected app becomes a breach at you, with no exploit against your own stack — the token is the perimeter, and it rides straight through your IdP. Inventory every third-party OAuth grant into your Salesforce and other SaaS tenants, revoke and rotate tokens for any vendor named in the Klue incident, and scope connected-app permissions to least privilege before assuming you're unaffected.

skillctl — malicious .skills.toml drives git-argument injection, arbitrary-directory wipe, and hardlink exfiltration

skillctl, a CLI that installs and syncs agent skills from shared libraries, shipped five flaws fixed in v0.1.3: a committed, PR-mergeable .skills.toml feeds source_sha unvalidated into git ls-tree, letting an attacker inject refspec flags to corrupt the pull/push diff classifier and clobber content; --dest accepts absolute and ../ paths for an arbitrary-directory wipe in agent mode; and FIFO/device entries plus hardlinks in a skill folder enable DoS and file exfiltration on skillctl add. This is the untrusted-package-installer trust failure the watch keeps seeing in the agent-tooling layer — the thing that fetches and applies a third-party skill is itself the attack surface, the same shape as a malicious npm postinstall. Upgrade skillctl to v0.1.3 and treat any .skills.toml arriving via PR as untrusted input rather than config.

GitHub hardens actions/checkout to blunt pwn-request attacks on pull_request_target workflows

GitHub updated actions/checkout (effective June 18) to block the common pwn-request pattern, where a workflow using the pull_request_target trigger checks out and runs untrusted PR-head code while holding the base repository's full privileges and secrets. This is a defensive change to the most-exploited CI misconfiguration in the GitHub Actions ecosystem — the gap that has leaked countless repo and cloud secrets — so the default action now resists the footgun instead of relying on every maintainer to get ref handling right. Update to the latest actions/checkout, but don't treat it as a fix: audit any pull_request_target workflow that explicitly checks out github.event.pull_request.head.sha, and keep privileged steps off untrusted code.

06:00 ET · Morning Watch

Malicious npm packages typosquat PostCSS tooling to drop a Windows RAT

Three malicious npm packages — aes-decode-runner-pro, postcss-minify-selector, and postcss-minify-selector-parser — impersonate PostCSS minification tooling and deliver a Windows remote-access trojan, all published over the past month by a single npm account and pulled ~1,000 times combined before takedown. The names lean on the trust developers place in the PostCSS/cssnano ecosystem; postcss-minify-selector-parser in particular shadows the legitimate postcss-selector-parser that most CSS toolchains already depend on, so a one-character slip or a hallucinated dependency name lands the RAT. Grep lockfiles for the three names, purge them from npm caches, and treat any Windows dev box or CI runner that installed them as compromised — rotate credentials and hunt for the RAT's persistence rather than assuming an npm uninstall is enough.

OpenDJ pre-auth RCE via Java deserialization in the JMX RMI connector

OpenDJ's JMX RMI connector deserializes attacker-controlled Java objects before authentication, handing an unauthenticated remote attacker arbitrary code execution on the directory server (CVE-2026-46495, CWE-502, ≤ 5.1.0, fixed in 5.1.1). The JMX Connection Handler ships off by default but is routinely turned on for monitoring, and a pre-auth deserialization sink on an identity directory is a worst-case foothold — it sits under the auth path for everything that LDAP-binds against it. Upgrade to OpenDJ 5.1.1; if you can't patch immediately, disable the JMX Connection Handler or firewall the RMI port down to monitoring hosts only.

OpenAM — pre-auth reflected XSS in OAuth2 form_post, plus LDAP injection via _queryId

Two pre-auth flaws landed against OpenAM (Open Identity Platform): the OAuth2/OIDC authorization endpoint reflects the unsanitised state parameter into the form_post HTML response, yielding pre-auth reflected XSS in the OpenAM origin (CVE-2026-44203, CVSS 9.3, < 16.1.1), alongside LDAP injection via the _queryId parameter (CVE-2026-41573). XSS in the origin of your SSO server is session-token territory — land one crafted authorization link on an authenticated admin and you ride their session into the identity console. Upgrade to OpenAM 16.1.1.

xwiki-pro-macros RCE via excerpt-include macro (unescaped page title)

The commercial xwiki-pro-macros excerpt-include macro fails to escape the included page's title and renders the excerpt content with the macro's own rights, so XWiki-syntax injection in a page title or body executes as RCE for any user who can edit a page (CVE-2026-44179, CVSS 9.9, >= 1.13 < 1.14.5). On a multi-author wiki that's a low bar — edit access is widely granted — and Pro macros ship into XWiki instances that often hold internal runbooks and credentials. Upgrade to 1.14.5.

Glances 4.x cluster — pickle-deserialization RCE, virsh command injection, CORS wildcard fallback

Glances shipped three flaws fixed in 4.5.5: outdated.py pickle.load()s a world-writable version-cache file with no integrity check, giving local/container RCE as the Glances user (CVE-2026-46607); the KVM/QEMU engine interpolates virsh domain names straight into secure_popen() command templates, so anyone who can name a VM gets command injection — commonly as root on the hypervisor (CVE-2026-46606); and the XML-RPC server's CORS allowlist silently falls back to wildcard whenever more than one origin is configured (CVE-2026-46608, an incomplete fix for CVE-2026-33533). Glances runs as root on a lot of monitoring and hypervisor hosts; upgrade to 4.5.5 and re-check any cors_origins allowlist you thought was restricting access.

AVideo official Docker Compose serves .env (DB creds, admin passwords) at GET /.env

AVideo's official docker-compose.yml mounts the project root as the Apache document root, serving the .env file — database credentials, admin passwords, infrastructure config — as a static file at GET /.env with no dotfile protection (CVE-2026-33692, CWE-538, < 29.0). This is the trusted-artifact-leaks-secrets shape: the vendor's own deployment recipe exposes the crown jewels to any unauthenticated request. If you run AVideo from the official compose file, block /.env at the proxy now, rotate every credential that file held, and upgrade to 29.0.