v vanemmerik.ai / SUPPLY-CHAIN
Supply Chain · Watch Thursday · 25 June 2026 End-of-day synthesis 4 watches · 23 items

From the watchtower — what crossed the wire today.

A four-times-a-day standing watch on the open-source supply chain. Each pass pulls newly disclosed CVEs, freshly catalogued KEV adds, and active attacks reported in the wild — then ranks them by severity for the day.

The story of the day — A late coordinated disclosure cracks the golang.org/x/crypto/ssh stack open — a CVSS-10 public-key auth bypass and five more critical SSH/agent flaws — onto a day already defined by Shai-Hulud crossing into Go and OpenAM's five-way collapse.

The day was already heavy on Go. Socket's self-replicating Shai-Hulud "Miasma" worm crossed package managers into the Go ecosystem for the first time, while OpenAM shipped five simultaneous auth-bypass and RCE flaws and CISA added two unauthenticated RCEs — PTC Windchill/FlexPLM and a Cisco Unified CM SSRF — to the KEV with a 06-28 due date.

Late escalation at 21:00 ET: minutes after the 18:00 synthesis locked, GitHub published a coordinated disclosure for golang.org/x/crypto/ssh, the SSH implementation sitting under most of the Go ecosystem. Fourteen advisories landed at once, led by CVE-2026-46595 (CVSS 10.0) — a public-key authentication bypass where VerifiedPublicKeyCallback skips permission enforcement — plus knownhosts ignoring @revoked host keys, a FIDO/U2F presence-check bypass, and two ssh/agent constraint-enforcement failures, six criticals in one batch and all fixed in 0.52.0. The same window brought Lemur, Netflix's certificate manager, chaining an ACME SSRF with an IDOR to AWS IAM and PKI compromise (CVE-2026-55166, 9.9, fixed in 1.9.2).

The bright spot still holds: every item tonight ships a fix. A single x/crypto bump to 0.52.0 closes all fourteen SSH advisories, Lemur 1.9.2 closes its four, OpenAM 16.1.1 closes its five, and the Shai-Hulud expansion comes with Socket IOCs to hunt against.

→ Operational priority for the night bump golang.org/x/crypto to >= 0.52.0 and rebuild every Go service now — `go list -m all | grep golang.org/x/crypto` finds the exposure, and a CVSS-10 auth bypass in your SSH layer outranks everything else on the board — then upgrade OpenAM to 16.1.1, Lemur to 1.9.2, and clear the two KEV RCEs before their 06-28 due date.

21:00 ET · Last Watch

golang.org/x/crypto/ssh: coordinated disclosure opens with a CVSS-10 public-key auth bypass plus knownhosts and FIDO bypasses

x/crypto/ssh is the SSH implementation sitting under most of the Go ecosystem, so a coordinated disclosure here is wide by default. The headline is CVE-2026-46595 (CVSS 10.0): VerifiedPublicKeyCallback skips permission enforcement, so a server authenticating through that callback accepts a key it should have rejected — a straight public-key authentication bypass. Two more bypasses ship in the same batch: knownhosts ignores @revoked markers so a revoked host key still verifies (CVE-2026-42508, 9.1), and the FIDO/U2F physical-presence check can be skipped (CVE-2026-39831, 9.1). All fixed in 0.52.0 — bump golang.org/x/crypto to >= 0.52.0 across every Go service and rebuild; `go list -m all | grep golang.org/x/crypto` is tonight's grep because this is a transitive dependency in bastions, CI runners, and countless internal tools.

golang.org/x/crypto/ssh/agent: forwarded-key constraints not enforced or dropped

Same disclosure, agent surface. The ssh/agent package fails to enforce key constraints (CVE-2026-39833, 9.1) and fails to drop them when forwarding keys (CVE-2026-39832, 9.1), so a key loaded with a confirmation, lifetime, or host restriction can be used without that restriction once it is forwarded through an agent. Agent forwarding is exactly where constraint bypass hurts — a compromised hop can reuse your keys beyond their intended scope. Fixed in 0.52.0; the same `x/crypto >= 0.52.0` bump closes it. If you forward agents into shared or jump hosts, treat loaded-key constraints as not having held until every hop is rebuilt.

Lemur (Netflix cert manager): ACME SSRF + creator-equality IDOR escalate to AWS IAM/PKI compromise

Lemur, Netflix's open-source TLS certificate-authority and manager, chains an ACME-flow SSRF with a creator-equality IDOR (CVE-2026-55166, CVSS 9.9) to reach the AWS IAM role Lemur runs under and the PKI material it manages. A compromised certificate manager is a supply-chain primary — whoever controls it can mint trusted certs and pivot into the cloud account that signs them. Fixed in 1.9.2. If you run Lemur, upgrade now, tighten the scope of its IAM role, and review recently issued certificates for anything you did not request.

golang.org/x/crypto/ssh: DoS and robustness cluster (deadlock, infinite loop, panics, cert-restriction bypass)

The rest of the x/crypto/ssh batch is availability and robustness. A client can deadlock the server on unexpected responses (CVE-2026-39830, scored 9.1 but availability-only) and force an infinite loop on large channel writes (CVE-2026-39834, 9.1), alongside pathological-input panics and a server-side parsing memory leak (CVE-2026-39829, -46597, -39827, -39835, -46598). One member, CVE-2026-39828, is a certificate-restriction bypass worth its own look if you rely on SSH cert principals/source-address limits. All fixed in 0.52.0 — the same upgrade. Bundled here as one high so the auth bypasses above stay the headline.

Lemur: role-membership privesc, JWT alg-confusion ATO, and plaintext password storage

Three lower-severity Lemur bugs ship alongside the 9.9: a non-admin role member can rewrite role membership via PUT /api/1/roles/<id> (CVE-2026-55163, 6.3), the JWT verifier honors an attacker-supplied `alg` enabling account takeover (CVE-2026-55165, 4.8), and the user-update path stores plaintext passwords (CVE-2026-55164, 4.9). All fixed in 1.9.2 with the critical, so the same upgrade clears them; after upgrading, rotate Lemur user credentials given the plaintext-storage window.

18:00 ET · First Watch

Mini Shai-Hulud ("Miasma") jumps from npm and GitHub Actions into the Go ecosystem

Socket reports the self-replicating Shai-Hulud lineage has a "Miasma" mini variant that hit LeoPlatform npm packages and GitHub Actions workflows and has now expanded into the Go ecosystem — the first time this worm family has crossed package managers rather than staying inside npm. A self-propagating worm that spreads by stealing maintainer credentials and republishing trojanised packages is the worst supply-chain shape there is, and an ecosystem jump means a Go pipeline can now be seeded by an npm-side compromise it has no visibility into. Freeze unpinned installs in both ecosystems, scan recent GitHub Actions runs for unexpected secret reads and outbound exfil, and rotate any npm/Go publish tokens that touched CI today; treat Socket's IOC list as the hunt seed.

CISA KEV: PTC Windchill / FlexPLM unauthenticated RCE via improper input validation

CISA added CVE-2026-12569 to the KEV today: PTC Windchill and FlexPLM let an unauthenticated remote attacker reach arbitrary code execution with a single crafted request (CWE-20 improper input validation feeding CWE-502 deserialization). Windchill is PLM/PDM that sits on a manufacturer's product and engineering data, so a pre-auth RCE here is a direct path into the design-and-supply-chain crown jewels. KEV due date is 2026-06-28 — apply PTC's fix (vendor advisory CS473270) or pull the product per BOD 26-04 before then.

CISA KEV: Cisco Unified Communications Manager SSRF gives unauth file write → root

Also added to KEV today: CVE-2026-20230, an SSRF in Cisco Unified CM and Unified CM SME (CWE-918) that lets an unauthenticated remote attacker write files to the underlying OS, which can then be used to escalate to root. SSRF that turns into a filesystem write on a telephony control plane is effectively pre-auth host takeover of core voice infrastructure. KEV due 2026-06-28 — apply Cisco's fix (advisory cisco-sa-cucm-ssrf-cXPnHcW) and check the box for unexpected files written under the app paths in the meantime.

OpenAM: unauthenticated authentication bypass via RADIUS Access-Accept spoofing

OpenAM's RADIUS module opens an unconnected UDP socket and trusts the first datagram delivered to its source port as authoritative, without verifying the source IP/port or the Access-Accept's cryptographic signature (CWE-347), so an unauthenticated network attacker can spoof an accept and obtain a session for any RADIUS username with no knowledge of the shared secret (≤ 16.0.6, fixed 16.1.1). This is a clean pre-auth login-as-anyone on an IdP. Upgrade to 16.1.1, or disable the RADIUS auth module if you don't use it.

OpenAM: arbitrary OAuth2 / OIDC token minting via push registration

OpenAM's stateful OAuth2 token-read path reads caller-supplied token identifiers from the shared Core Token Store without namespacing them or binding the row's CTS type to the expected token family (CWE-639), letting an attacker forge OAuth2 bearer tokens and OIDC ID tokens with arbitrary subject, client, realm, and scope (≤ 16.0.6). Mint-any-token against your IdP collapses every downstream service that trusts its tokens. Upgrade to 16.1.1 and, post-patch, treat existing long-lived tokens issued by affected versions as suspect.

OpenAM: anonymous Java deserialization via the SNS push-notification callback

The SNS push-message REST route in OpenAM is mounted with anonymous access and, when a message identifier has expired from the in-memory dispatcher, falls back to a CTS-stored predicate blob whose top-level keys are treated as Java class names and passed to `Class.forName(...)` before attacker-controlled JSON is deserialized via Jackson (CWE-502, ≤ 16.0.6, fixed 16.1.1). That's a second unauthenticated deserialization-to-RCE path in OpenAM alongside today's WebAuthn bug — same upgrade closes both. Patch to 16.1.1; if you can't, block the push/SNS callback route at the proxy.

i18next prototype-pollution chain: dotted missing-keys walk into Object.prototype

Two paired npm advisories: `i18next-http-middleware` ≤ 3.9.6 blocked literal `__proto__`/`constructor`/`prototype` request keys but not dotted variants like `"__proto__.polluted"` (CVE-2026-48714), and `i18next-fs-backend` ≤ 2.6.5 splits those missing-key strings on the key separator and hands the segments to an unguarded `setPath()` walker that writes to `Object.prototype` (CVE-2026-48713). The precondition is specific — you must expose `missingKeyHandler` to untrusted input AND persist with fs-backend — but i18next is near-ubiquitous, so it's worth a fast check. Bump both packages; if you can't, stop feeding user input to `missingKeyHandler`.

go-chi RealIP middleware trusts X-Forwarded-For, enabling IP spoofing

chi's `realip` middleware pulls the client IP straight from `True-Client-IP` / `X-Real-IP` / `X-Forwarded-For` and overwrites `r.RemoteAddr` without checking the request came from a trusted proxy, so an attacker can forge any source IP and bypass rate limits, allow/deny lists, or audit attribution (paired advisory GHSA-9g5q-2w5x-hmxf). chi is a very widely embedded Go router, so this rides in transitively in a lot of services. Only enable `RealIP` behind a proxy you control, and configure it to trust a known proxy set rather than raw headers.

Rekor: gzip-bomb in Alpine APK parsing exhausts memory (DoS of the transparency log)

Rekor's `Package.Unmarshal()` decompresses the signature and control gzip members of a submitted APK into memory without bounding total decompressed size — the `max_apk_metadata_size` (1MB) check only runs on individual tar entries after decompression — so a ~1000:1 gzip bomb (2MB → 2GB) submitted as `spec.package.content` can OOM the process (CWE-409, CVSS 7.5). Rekor is sigstore's transparency log; knocking it over degrades the signing/verification path the rest of the supply chain leans on. Upgrade Rekor and rate-limit/​size-cap untrusted entry submissions at the ingress.

amazon-braket-sdk: insecure pickle deserialization in job-results processing

The Braket SDK's `deserialize_values()` reads the `dataFormat` field straight from a job-results JSON file and can reach `pickle.loads()`, so a remote authenticated user with S3 write access to a Braket job output bucket can land arbitrary code execution in whatever reads the results (CWE-502). Narrow precondition (you need write access to the output bucket), but it's the familiar pattern of a result/artifact file being trusted enough to deserialize — lock down job-output bucket write access and upgrade the SDK if you run Braket jobs.

12:00 ET · Forenoon Watch

OpenAM: pre-auth RCE via Java deserialization in the WebAuthn authenticator store

OpenAM's WebAuthn module deserializes the authenticator data it reads back from a configured storage attribute without type-safety (CWE-502), so if that attribute can be made attacker-writable an unauthenticated request through the WebAuthn flow reaches arbitrary code execution as the app-server user — patched in Community Edition 16.1.1, vulnerable `<= 16.0.6`. The precondition is real and worth stating plainly: this is not the default config, it needs the storage/`userAttribute` to be a free-form user-writable string (reachable via delegated admin, provisioning, direct LDAP write, or legacy REST self-registration), so the blast radius is deployment-specific rather than universal. Upgrade to 16.1.1, and audit which WebAuthn storage attribute your deployment binds — if it's a user-writable directory attribute, treat this as live pre-auth RCE in your IdP.

OpenAM: anonymous SOAP write to the Liberty Discovery store on any user's LDAP entry

The Liberty ID-WSF SOAP receiver in OpenAM lets an unauthenticated remote caller write persistent Discovery records onto any user's LDAP entry and into a shared root-realm branch, with the writes performed server-side under the internal admin token so they bypass the requester's identity ACLs entirely (CWE-285, `<= 16.0.6`, patched 16.1.1). The write itself needs no active Liberty consumers — what varies is downstream impact, which only bites in deployments that actually read Discovery data to drive service routing or security-mechanism selection. Liberty is a legacy protocol exposed in shipped defaults; if you don't deliberately use ID-WSF, disable the Liberty endpoints, otherwise upgrade to 16.1.1 — this is the unauth write primitive that pairs naturally with the WebAuthn deserialization bug landing the same day.

OliveTin: shared text/template instance races across goroutines, contaminating commands between requests

OliveTin parses and executes every action against a single package-level `text/template` instance with no locking, so concurrent executions — the normal case, since each request gets its own goroutine — race: one goroutine's `Parse` overwrites the shared tree while another's `Execute` walks it, which Go's docs explicitly forbid (CWE-362, CVSS 7.5, fixed in the 0.0.0-20260521225117 dev build). The failure modes are nasty for a job-runner: a `fatal error: concurrent map writes` that takes the whole process down, or cross-request contamination where one user's arguments get rendered into another user's shell template. This is the third OliveTin CVE in today's batch alongside the morning's `ot_`-prefix injection and the unauth enumeration oracle — patch all three as one OliveTin upgrade and treat the cluster as a single review item.

Gaslight macOS stealer embeds a prompt-injection payload to derail AI-assisted analysis

A Rust-based macOS implant and infostealer dubbed Gaslight ships a prompt-injection payload inside the artifact itself, designed to trick an analyst's AI tooling into aborting or refusing the analysis. Not a registry or dependency compromise, but it rhymes with the threat model directly: as more triage pipelines pipe untrusted samples through LLMs, the sample becoming adversarial input to your analysis tooling is the obvious next move. If you run any AI-assisted malware triage or code-review automation, assume the input is hostile to the model and keep a non-LLM path in the loop.

06:00 ET · Morning Watch

OliveTin: ot_-prefixed arguments bypass the argument filter and land in the command environment

OliveTin's `filterToDefinedArgumentsOnly` is meant to drop any argument not declared on the action, but a special case lets any argument whose name starts with `ot_` slip through unchecked — skipping all type validation, getting set as a process environment variable via `buildEnv()`, and surfacing in template context as `.Arguments.ot_*` (CVE-2026-53541, CVSS 4.3). It's the unvalidated-env-var-into-a-shell-action shape: depending on how an action's command or template consumes its environment, that's a path from web request to command influence on the host that runs OliveTin's jobs. Upgrade OliveTin and audit any action whose command or template reads `ot_`-prefixed values.

Malicious Edge extension uses Native Messaging as a bridge to native malware

A malicious Microsoft Edge extension abuses the browser's Native Messaging API to talk to a locally-installed host binary, turning a store-distributed extension into a launcher for malware that runs outside the browser sandbox. Native Messaging is the sanctioned escape hatch from the extension sandbox, so an approved-looking extension paired with a native host is a clean supply-chain delivery path that bypasses page-level CSP and most extension-permission scrutiny. Inventory installed browser extensions against the Native Messaging host manifests registered on each box — an extension you didn't deploy paired with a native host you don't recognise is the signature to hunt.

OliveTin: unauthenticated ValidateArgumentType endpoint enumerates action bindings

OliveTin's `ValidateArgumentType` RPC skips the `auth.UserFromApiCall` / `checkDashboardAccess` checks every other data-returning endpoint performs, so even with `AuthRequireGuestsToLogin` set it answers unauthenticated callers and works as an oracle to enumerate valid action-binding IDs and their argument shapes (CVE-2026-48709, CVSS 3.7). Low on its own, but it's the reconnaissance step that feeds the `ot_`-prefix injection above — same OliveTin upgrade closes both, so patch them as one job.

Mistic backdoor tied to KongTuke ransomware access broker via ClickFix and ModeloRAT

Researchers link a new backdoor dubbed Mistic to KongTuke, a ransomware access broker, delivered through ClickFix lures alongside the ModeloRAT campaign. Not an OSS-registry compromise, but it's the initial-access half of the same economy: a ClickFix social-engineering chain drops a foothold that gets sold on to ransomware operators. Worth a detection-rule pass for ClickFix-style clipboard / `mshta` execution chains even though there's no package to pull here.