v vanemmerik.ai / SUPPLY-CHAIN
Supply Chain Β· Watch Friday Β· 26 June 2026 End-of-day synthesis 4 watches Β· 24 items

From the watchtower β€” what crossed the wire today.

A four-times-a-day standing watch on the open-source supply chain. Each pass pulls newly disclosed CVEs, freshly catalogued KEV adds, and active attacks reported in the wild β€” then ranks them by severity for the day.

The story of the day β€” A self-replicating npm worm jumped to its third package set and a poisoned PyPI wheel harvested the same credentials by other means β€” then a late coordinated pnpm disclosure turned the package manager itself into the attack surface.

The Mini Shai-Hulud / Miasma worm did not slow down today. After this morning's LeoPlatform and RStreams compromise, Socket caught a fresh wave by mid-afternoon hitting @immobiliarelabs Backstage authentication plugins β€” the worm is now deliberately targeting developer-portal backends where SSO and source-control secrets concentrate.

It was not working alone. A malicious litellm wheel sat on PyPI long enough to poison fresh installs of semantic-router through an unbounded transitive pin, running its credential-exfil payload on interpreter startup β€” the same harvest as the worm, delivered through dependency math instead of a stolen token. In parallel, a cluster of self-hosted MCP servers shipped insecure-by-default HTTP transports, led by mcp-pinot at CVSS 10, each exposing tool invocation to any client that could reach the port. Polymarket disclosed a roughly $3M loss after a third-party vendor breach let attackers inject a script into its frontend, a reminder that the browser is a supply chain too. The bright spot held from this morning: Packagist now blocks known-bad versions at install via Aikido Intel, pushing PHP's defense down to the registry where it stops the most users.

Late escalation at 21:00 ET: the pnpm maintainers published a roughly fourteen-advisory coordinated batch that turns the package manager itself into the attack surface β€” a project env lockfile that can short-circuit resolution and execute lockfile-selected bytes (CVE-2026-55698, 8.8), registry-metadata path traversal that rewrites project paths to attacker symlinks, malicious patch files that write or delete arbitrary files, and two fail-open integrity gaps where `--frozen-lockfile` installs altered tarballs that `npm ci` would have rejected. Alongside it, a critical Nezha monitoring-dashboard pair (cross-tenant terminal/file-manager hijack at 9.9, pre-auth path traversal leaking jwt_secret_key at 9.1) and an ex_aws_sns signature bypass that rhymes with this evening's Relyra SAML break.

β†’ Operational priority for the night pin litellm and the affected npm packages to known-good versions and rebuild any environment that installed semantic-router or pulled @immobiliarelabs / LeoPlatform packages since the 24th; upgrade pnpm to 10.34.4 / 11.8.0 and treat any committed pnpm-lock.yaml on an untrusted branch as hostile input to CI; rotate every cloud and CI credential those builds could reach; pull self-hosted Nezha off public interfaces and rotate jwt_secret_key; and bind every self-hosted MCP server to loopback with auth enforced before tools/call.

21:00 ET Β· Last Watch

Nezha monitoring dashboard: cross-tenant terminal/file-manager hijack (CVSS 9.9) + pre-auth path traversal leaking jwt_secret_key (9.1)

A cluster of Nezha advisories landed after the First Watch, two of them critical. The /ws/terminal/:id and /ws/file/:id WebSocket endpoints authenticate only on possession of a valid stream UUID with no ownership check, so any authenticated dashboard user β€” including a plain RoleMember β€” who learns a live UUID gets interactive shell or full file-manager control on the target server: cross-tenant RCE (9.9). Worse for unauthenticated exposure, the NoRoute handler's fallbackToFrontend does a raw `strings.HasPrefix("/dashboard")` check, so `/dashboard../data/config.yaml` normalizes through path.Join and serves the config β€” a pre-auth path traversal that leaks jwt_secret_key in default deployments (CVE-2026-53519, 9.1), which then unlocks the cross-tenant primitive. If you self-host Nezha for fleet monitoring, upgrade to 2.0.13+ tonight, pull the dashboard off any public interface, and rotate jwt_secret_key on the assumption it already leaked.

pnpm: ~14-advisory coordinated batch β€” lockfile-driven code execution, path traversal, and integrity-check bypass

Late tonight the pnpm maintainers published a large coordinated security batch (CAND-PNPM-* / fixed in 10.34.x and 11.5.3+) turning the package manager itself into the attack surface. The worst are code-execution-class: a project env lockfile can short-circuit resolution and execute lockfile-selected pnpm bytes (CVE-2026-55698, 8.8), a transitive dependency alias from registry metadata can carry path-traversal segments and replace project paths β€” e.g. .git/hooks β€” with symlinks during `pnpm install --ignore-scripts` (CVE-2026-50016, 8.8), a malicious .patch file writes or deletes arbitrary files via unvalidated diff headers (CVE-2026-50015, 7.3), and a manifest-identity spoof satisfies allowBuilds to run attacker lifecycle scripts (CVE-2026-55487, 7.5). A second cluster is fail-open integrity: `--frozen-lockfile` skips verification when the lockfile `integrity` field is absent (CVE-2026-50021) and non-frozen installs accept altered tarballs after an integrity mismatch (CVE-2026-50573) β€” a pnpm-specific gap where npm's `npm ci` would hard-fail. Treat a committed pnpm-lock.yaml as attacker-controlled input: upgrade pnpm to 10.34.4 / 11.8.0 now, and audit any CI that runs `pnpm install` on untrusted branches or PRs.

ex_aws_sns: attacker-controlled SigningCertURL bypasses SNS signature verification entirely

ExAws.SNS.verify_message/1 (< 2.3.5) fetches the signing certificate straight from the inbound message's SigningCertURL without checking that the URL is HTTPS or points to an AWS-owned SNS cert domain. An unauthenticated attacker who can POST to any endpoint that calls verify_message/1 supplies their own cert URL, signs a forged SNS notification with their own RSA key, and gets back :ok β€” a complete signature bypass. Same trust-boundary shape as tonight's earlier Relyra SAML break: verification code that runs but trusts attacker-supplied inputs. If any Elixir service ingests SNS webhooks via ex_aws_sns, upgrade to 2.3.5 and confirm the cert host is now allow-listed.

regclient may leak registry auth credentials to external blob stores via foreign-layer URLs

regclient <= 0.11.4 can send a registry's auth credentials to an arbitrary external host when an OCI manifest's layer descriptor carries a `urls` (foreign blob) field pointing at an attacker-controlled server (CVE-2026-49349, 6.8). It needs a malicious or permissive registry, but the payoff is registry credential theft from a tool that lives in image pipelines β€” on-theme for the week's registry-as-trust-boundary thread. Upgrade regclient and, where you can, restrict which external URLs foreign blobs may resolve to.

18:00 ET Β· First Watch

Mini Shai-Hulud / Miasma worm spreads again β€” now poisoning @immobiliarelabs Backstage auth plugins on npm

Socket caught a third wave of the same self-replicating Mini Shai-Hulud / Miasma worm within hours of this morning's LeoPlatform/RStreams push: trojanized npm releases now hit @immobiliarelabs Backstage plugins, specifically the GitLab and LDAP authentication integrations. Backstage auth plugins are a deliberate target β€” they run inside developer-portal backends with broad SSO and source-control reach, so the worm's credential harvester lands exactly where CI and identity secrets concentrate. Treat any Backstage instance that pulled @immobiliarelabs packages on the 24th–26th as suspect, pin known-good versions, and rotate the GitLab/LDAP service credentials those plugins hold.

semantic-router could pull a compromised litellm wheel via unbounded transitive pin

A malicious litellm==1.82.8 wheel sat on PyPI long enough that a fresh install of semantic-router 0.1.8–0.1.14 β€” which declared litellm>=1.61.3 with no upper bound β€” could resolve straight to it (CVE-2026-42208). The wheel ships a litellm_init.pth that executes on Python interpreter startup with no import required, then exfiltrates environment variables, AWS/GCP/Azure credentials, SSH keys, Kubernetes configs, shell history, database and CI/CD secrets, and crypto material β€” the same credential-harvest payload as this week's worm, delivered through dependency math instead of a stolen token. Pin litellm to a known-good version, rebuild any environment that installed semantic-router during the exposure window, and rotate every credential reachable from those hosts.

A cluster of MCP servers shipped insecure-by-default HTTP transports β€” unauthenticated tool invocation

Three self-hosted MCP servers disclosed insecure-by-default HTTP transports today, led by mcp-pinot: with oauth_enabled=False as the default and a 0.0.0.0 bind, any network client could initialize a session and invoke its read-query tools with no authentication (CVE-2026-49257, CVSS 10). It doesn't stand alone β€” mcp-memory-service lets a read-only OAuth client write and delete via tools/call (CVE-2026-49291, 8.1) and line-desktop-mcp's --http-mode exposes read/send-message tools on 0.0.0.0 with no MCP-layer auth (CVE-2026-49357), the same shape as yesterday's github-mcp-server cross-tenant bleed. If you self-host any MCP server over HTTP, bind it to loopback, require auth before tools/call, and assume the network-exposed default was wrong.

Polymarket customers lose ~$3M after attacker injects script into the frontend via a third-party vendor breach

Polymarket says attackers breached a third-party vendor and injected a malicious script into the platform's frontend, draining an estimated $3 million from customers before it was caught; the company will reimburse the losses. This is the browser-side face of the same problem β€” a trusted dependency loaded into the page, compromised upstream, executing in every visitor's session β€” and it's the vector client-side integrity controls (SRI, strict CSP, vendor JS review) exist to blunt. If you load third-party scripts into a money-handling frontend, audit what they can do, pin them with subresource integrity, and confirm your CSP wouldn't let an injected payload phone home.

deepstream server: prototype pollution β†’ privilege escalation for any authenticated writer

deepstream server <=10.0.4 is vulnerable to prototype pollution (CVE-2026-49252, 9.9): any authenticated user with write permission to any record can poison Object.prototype and escalate privilege across the server. CVSS puts this in critical territory, but it needs an authenticated write foothold, so the real exposure is multi-tenant realtime deployments where low-trust users hold write scope. Upgrade to 10.0.5; if you can't immediately, filter messages whose path contains __proto__, constructor, or prototype before they reach the message pipeline.

Relyra SAML library accepts forged signatures β€” authentication bypass

Relyra 1.0.0 and 1.1.0 returned a successful SAML authentication result without ever cryptographically verifying SignatureValue against the IdP certificate β€” the canonicalize step was an unused passthrough and DigestValue was never recomputed, so a forged assertion authenticates as anyone (CVE-2026-49454, 9.1). This is the classic SAML trust-boundary footgun: signature-verification code that looks present but never runs. If any service authenticates via Relyra, upgrade now and review access logs for assertions you can't tie to a real IdP round-trip.

Hackney (Erlang HTTP client): six-advisory remote-DoS batch

A coordinated set of six Hackney advisories landed this evening, all untrusted-server DoS: atom-table exhaustion via unrecognized URL schemes, unbounded buffer accumulation in the WebSocket path, a per-chunk-timeout slowloris with unbounded body accumulation, a missing timeout on post-handshake ssl:connect upgrade, and an infinite loop on a malformed Alt-Svc header. Hackney is the default HTTP client under a large slice of the Elixir/Erlang ecosystem, so anything that makes outbound requests to attacker-influenced hosts is in scope. Upgrade hackney and put timeouts/size caps around outbound calls that can hit untrusted endpoints.

Chinese-speaking APT (CL-STA-1062) deploys new TinyRCT backdoor against Southeast Asian energy and government targets

Palo Alto Networks attributes a new custom backdoor, TinyRCT, to a Chinese-speaking actor (CL-STA-1062) targeting state-owned energy and government entities across Southeast Asia. Not a package-registry attack, but it rhymes with the week's theme of bespoke implants and living off trusted tooling against critical-infrastructure operators. Context only; relevant if you model state-actor TTPs against your surface.

12:00 ET Β· Forenoon Watch

Mini Shai-Hulud / Miasma worm hits LeoPlatform + RStreams npm packages, now spreading to Go

Socket tracked a fresh wave of the self-replicating Mini Shai-Hulud / Miasma / Hades worm: a breached LeoPlatform maintainer token (β€œczirker”, likely leaked credentials) was used to push trojanized versions across roughly twenty Leo/RStreams npm packages on June 24 inside a six-second window, with the same payload now reaching GitHub Actions workflows and a related Go module (Verana Blockchain). The payload is a broad credential harvester β€” .env files, npm/PyPI/GitHub/Slack/Twilio tokens, SSH keys, Docker and Kubernetes configs, AWS/Azure/GCP credentials, Vault data and CI secrets β€” then reuses what it steals to republish and spread, which is what makes this a worm rather than a one-off poisoning, and the Leo/RStreams set sits squarely on cloud-native, serverless CI surface. Pin or deny the affected versions now, grep your installs and CI logs for anything pulled on June 24, and rotate any npm, cloud, or CI tokens that touched a build using these packages.

06:00 ET Β· Morning Watch

Lemur: read-only role can mint root CAs β€” authorization bypass (plus JWT-alg ATO, plaintext passwords, SSRF)

Continuation of yesterday's Netflix-Lemur disclosure: StrictRolePermission/AuthorityCreatorPermission build a flask-principal Permission with zero Needs when their config flags are unset β€” the shipped default β€” so .can() passes for every authenticated identity and a read-only user can create root certificate authorities (CVE-2026-48508, 8.8). Three siblings ride along: the JWT verifier honours an attacker-supplied alg (account takeover), the user-update path stores plaintext passwords, and crafted CRL/OCSP URLs give post-auth SSRF. If you run Lemur as your internal CA, treat this as privilege-boundary-gone β€” upgrade, then audit who created authorities while the flags sat at their default false.

ImageMagick / Magick.NET: eight-advisory memory-safety + policy-bypass batch

Aisle Research dropped a coordinated ImageMagick set, surfacing here in the Magick.NET bindings: an out-of-bounds heap write in the ICON decoder (CVE-2026-53461), invalid-dimension DCM images, a MAT heap over-write on 32-bit, an MVG stack overflow, a Floyd-Steinberg heap underwrite, plus policy bypasses for an OOM condition and symlink file-read. Any service that ingests user-supplied images through ImageMagick/Magick.NET is in scope β€” these are the classic decoder-fuzzing crashes that turn an upload form into a DoS. Patch the binding and tighten policy.xml to deny the decoders you don't actually use.

MessagePack-CSharp: eleven-advisory deserialization-DoS batch (stackalloc overflow, depth-check bypass)

A large MessagePack-CSharp disclosure centred on untrusted-input DoS: ReadDateTime() does an attacker-controlled stackalloc that throws an uncatchable StackOverflowException and kills the process (CVE-2026-48502), Reader.Skip() recurses past MaximumObjectGraphDepth, and a string of formatters allocate from unbounded declared lengths (LZ4, multi-dimensional arrays, ExpandoObject quadratic insert). The one to grep for is the ASP.NET Core input formatter defaulting to TrustedData for HTTP request bodies. If you deserialize MessagePack at any network boundary, upgrade and confirm you're passing the untrusted-data security options.

Filament: app-based MFA recovery codes reusable via concurrent submission

A race in Filament's app-based MFA lets the same recovery code be burned more than once by submitting it in parallel, defeating the single-use guarantee (CVE-2026-48505, 7.4; email MFA is unaffected). It's a second-factor weakening, not a primary auth bypass β€” an attacker still needs the password and a recovery code β€” but it widens the post-compromise session window beyond what one-time codes imply. Upgrade Filament; if you see recovery-code use you can't account for, force re-enrollment.

go-chi RealIP: X-Forwarded-For spoofing re-published across v1–v5 branches

The chi middleware.RealIP X-Forwarded-For trust issue from yesterday now has advisories spanning every version branch β€” RealIP takes the first XFF entry, which the client controls, so RemoteAddr-based allow-lists, logging, and rate-limits can be spoofed. Same defensive note as before: don't use RealIP for security decisions unless chi sits behind a proxy that overwrites XFF, and pin the patched release. Logged medium β€” it's a footgun, not a break.

GitHub MCP Server: lockdown-mode singleton leaks GraphQL client across users

In the GitHub MCP Server's HTTP mode, a lockdown-mode singleton means one user's authenticated GraphQL client can be reused for another user's requests β€” a cross-tenant credential bleed in any multi-user MCP deployment (CVE-2026-48529, 6.0). Single-user/stdio setups aren't exposed. If you host the GitHub MCP server for a team, upgrade before anything else and don't share one process across identities.

LangGraph: unsafe JSON deserialization in checkpoint loading + unsafe SDK URL-path construction

Two LangGraph advisories: checkpoint loading deserializes JSON unsafely (CVE-2026-48775, 6.8) and the SDK builds URL paths without sanitisation. For agent frameworks that persist and reload graph state, an attacker who can write a checkpoint gets a deserialization foothold on reload. Upgrade the SDK and treat checkpoint stores as a trust boundary, not scratch space.

Hardening batch: nextflow login perms, OpenTelemetry Baggage memory, FileBrowser auth rate-limit

Three lower-stakes hygiene fixes worth a line each: `nextflow auth login` writes its credential file with overly permissive default perms (CVE-2026-48722), the OpenTelemetry SDK's W3C Baggage propagator allocates without bound on crafted headers (DoS), and FileBrowser ships no rate-limiting on its auth endpoint (brute-force). None are urgent β€” fold them into your next dependency bump.

Packagist now blocks malicious package versions by default via Aikido Intel

The morning's bright spot: Packagist has wired Aikido's malware feed into Composer so known-bad package versions are blocked at install by default β€” registry-level interdiction of the same publish-a-malicious-version attack that hit ShapedPlugin and the npm PostCSS typosquats this week. PHP joins npm and PyPI in pushing supply-chain defence down to the registry, where it stops the most users with the least effort. Nothing to action; note it as the direction of travel, and one fewer ecosystem relying purely on post-hoc takedowns.

golang.org/x/crypto/ssh: last night's coordinated disclosure lands as ten canonical advisories

GitHub published the per-CVE advisories for the x/crypto/ssh batch we triaged last night: the knownhosts @revoked auth bypass (CVE-2026-42508), the FIDO/U2F user-presence bypass (CVE-2026-39831), agent destination-constraint stripping (CVE-2026-39832), and the DoS/panic siblings (CVE-2026-39834, -39829, -46597, -39827, -39835, -39828, -46598). Same vulnerabilities, same fix β€” golang.org/x/crypto 0.52.0 β€” already done if you patched off the 06-25 critical. Logged as context so the formal IDs are on the record; no new exploitation and nothing to do you haven't already done.

Turla deploys new .NET STOCKSTAY backdoor against Ukraine and Italy-policy targets

Google attributes a previously undocumented .NET backdoor, STOCKSTAY, to Russia's Turla, used against Ukrainian government/military targets and entities tied to Italian foreign policy. Not a package-registry attack, but it rhymes with the week's theme of bespoke .NET implants and living off trusted tooling β€” and Turla has a long history of hijacking other actors' infrastructure. Context only; relevant if you model state-actor TTPs against your surface.