v vanemmerik.ai / SUPPLY-CHAIN
Supply Chain · Watch Saturday · 27 June 2026 End-of-day synthesis 4 watches · 18 items

From the watchtower — what crossed the wire today.

A four-times-a-day standing watch on the open-source supply chain. Each pass pulls newly disclosed CVEs, freshly catalogued KEV adds, and active attacks reported in the wild — then ranks them by severity for the day.

The story of the day — The Miasma worm crossed from npm into Backstage's GitLab and LDAP auth plugins, Polymarket lost roughly $3M to a poisoned frontend, and a wave of disclosures — Nezha, pnpm, Hackney, ex_aws_sns — all rhymed on one flaw: trusting attacker-controlled input as authorization.

The Miasma / Mini Shai-Hulud worm that trojanized npm packages on June 24 spent today proving it isn't finished: Socket confirmed it reached @immobiliarelabs' Backstage GitLab and LDAP auth plugins — packages that sit directly in a CI and SSO trust path — while The Hacker News tied the same worm to GitHub Actions abuse and propagation into Go modules. A credential-stealer that lands in the very packages whose job is to broker credentials is the worst place for it to land.

Underneath the worm, the day's disclosures rhymed on a single flaw: authorization derived from attacker-controlled input. Nezha shipped a pre-auth-to-RCE chain — leak jwt_secret_key through a /dashboard prefix match, forge an admin token, then hijack any tenant's terminal over an unchecked stream UUID; pnpm's coordinated 15-advisory batch turned poisoned lockfiles and PR-supplied .patch files into code execution and arbitrary file write on install; ex_aws_sns fetched its signature trust anchor from an attacker-named URL; and Hackney and Microsoft's kiota both walked Authorization headers off to foreign hosts on cross-origin redirects. Polymarket is the proof this isn't theoretical — a breached third-party vendor injected a frontend skimmer and drained roughly $3M from customers' browsers.

→ Operational priority for the night if you run Backstage with @immobiliarelabs plugins, pin to a clean pre-June-24 build and rotate every GitLab and LDAP secret those plugins could read; if you run a reachable Nezha dashboard, upgrade and rotate jwt_secret_key now, since the leak is pre-auth and trivially scriptable.

18:00 ET · First Watch

@microsoft/kiota-http-fetchlibrary: bearer token and Cookie leak across origin on redirect via case-mismatched header scrub

Kiota's fetch adapter strips sensitive headers before following a redirect, but the scrub is case-mismatched against the actual header names, so on a cross-origin 3xx the Authorization bearer token and Cookie survive and are forwarded to the new host (CVE-2026-49336). It is the same shape as today's Hackney redirect leak in a second ecosystem, and the same class as the morning's case-sensitive phar:// bypass — a guard that compares strings case-sensitively against inputs that don't honor case. If you generate Microsoft Graph or other Kiota SDK clients from the affected preview range, upgrade and treat any token that traversed a redirect as exposed.

12:00 ET · Forenoon Watch

Miasma / Mini Shai-Hulud worm hits @immobiliarelabs npm packages — GitLab and LDAP Backstage auth plugins trojanized

Socket has the next confirmed victim cluster in the Miasma / Mini Shai-Hulud run: the self-replicating credential-stealer trojanized @immobiliarelabs Backstage plugins on npm, specifically the GitLab and LDAP auth packages — same harvest-and-republish loop, now landing in dependencies that sit directly in a CI/SSO trust path. Backstage GitLab/LDAP plugins are exactly the kind of package whose compromise hands an attacker the credentials they exist to broker, so this is worse than a poisoned leaf utility. If you run Backstage with @immobiliarelabs plugins, pin to a known-good pre-June-24 version, rebuild from clean, and rotate any GitLab or LDAP secret the plugin could read.

Nezha Monitoring: cross-tenant terminal / file-manager session hijack via WebSocket stream UUID with no ownership check

This is the companion the morning's jwt_secret leak chains into: nezha v1.14.13–v1.14.14 and v2.0.0–v2.0.9 authenticate GET /ws/terminal/:id and /ws/file/:id solely on possession of a valid stream UUID, with no check tying that UUID to the user who created the stream (CVSS 9.9). Any authenticated dashboard member who learns a live stream UUID attaches to another tenant's terminal or file manager — and combined with the pre-auth jwt_secret_key leak (GHSA-5c25), an attacker can forge the admin token to get in first. Upgrade now: the pair is a single pre-auth-to-RCE chain (leak secret, forge token, hijack session), not two isolated bugs.

pnpm coordinated disclosure: 15 advisories — malicious lockfiles, patches, and config dependencies reach arbitrary file write and code execution on install

The pnpm maintainers published a coordinated batch of 15 advisories (9 high, 6 medium) across the lockfile, patch, and configDependencies machinery: a project env lockfile can short-circuit resolution and execute lockfile-selected pnpm bytes (CVE-2026-55698, 8.8), a transitive dependency alias can path-traverse and override project paths via symlink replacement (CVE-2026-50016, 8.8), malicious .patch files write or delete arbitrary files during install (CVE-2026-50015), plus integrity-check bypasses and repository config that expands victim env secrets into registry requests. The through-line: pnpm trusted repository- and lockfile-controlled values as filesystem paths and resolution inputs, so a poisoned lockfile or a malicious PR patch becomes code execution or file write as the installing user — the npm-ecosystem analogue of inert data being treated as a command. Upgrade pnpm to the fixed line across CI and developer machines, and treat lockfile and .patch changes in untrusted PRs with the same suspicion as a build script.

Hackney HTTP client: 6 advisories — cross-origin redirect leaks Authorization/Cookie/body, plus CRLF injection and unbounded-buffer OOM

Six advisories land on hackney, the HTTP client under much of the Erlang/Elixir ecosystem: with follow_redirect enabled, a cross-origin 3xx forwards Authorization, Cookie and Proxy-Authorization headers and — for 307/308 — the request body to the attacker's host (CVE-2026-47070); the WebSocket upgrade path takes CRLF/header injection (CVE-2026-47072); and unbounded body/WebSocket buffering enables slow-drip OOM (CVE-2026-47073/47074). The redirect leak is the supply-chain-relevant shape — any Elixir service that makes authenticated outbound calls through hackney and follows redirects can have those credentials walked off to a malicious endpoint. Upgrade hackney; if you can't immediately, disable follow_redirect on authenticated outbound requests.

ex_aws_sns: complete SNS signature bypass — verify_message fetches the signing cert from an attacker-controlled SigningCertURL

ExAws.SNS.verify_message/1 fetches the signing certificate straight from the message's SigningCertURL field without checking that the URL is HTTPS or hosted on an AWS-owned SNS certificate domain, so an unauthenticated attacker who can POST to any endpoint that calls it supplies their own cert URL, signs a forged message with their own key, and sails through verification. The entire purpose of the function — proving a message genuinely came from SNS — is defeated by trusting attacker-supplied input for where to fetch the trust anchor. If you verify SNS messages with ex_aws_sns, upgrade and pin certificate retrieval to the sns.<region>.amazonaws.com domains.

Polymarket loses ~$3M to frontend supply-chain attack via third-party vendor breach

BleepingComputer reports attackers breached a third-party vendor and injected a malicious script into Polymarket's frontend, draining roughly $3M from customers before it was caught; Polymarket says it will reimburse. Same shape as the Polyfill / web-skimmer class — a vendor you load JavaScript from is a vendor that can move money in your users' browsers. If you ship third-party scripts on any page that touches funds or auth, enforce Subresource Integrity and a strict script-src CSP, and audit which vendors can push code to production without passing through your review.

Nezha hardening sweep: list-API credential exposure, NAT host preemption, OAuth host-header injection, WebSocket DoS

Alongside the two criticals, the Nezha audit dropped five more medium advisories: GET /api/v1/ddns and /api/v1/notification return plaintext Cloudflare/TencentCloud/Slack/Discord tokens unredacted to any admin (GHSA-ww5p), a non-admin can claim the dashboard's own Host via a NAT profile and preempt all routing (CVE-2026-53520), OAuth2 redirect host-header injection (CVE-2026-53523), unbounded WebSocket streams (CVE-2026-53522), and stored-future DDNS profile abuse (CVE-2026-53521). None is the headline, but together they say the whole authorization surface was under-checked — take the full upgrade, not a cherry-picked patch, and rotate any third-party token the list APIs could have exposed.

regclient: registry credentials can leak to attacker-controlled foreign blob stores

regclient can leak registry auth credentials to external servers when a malicious registry — or one that doesn't restrict foreign-blob URLs — serves a manifest whose layer descriptor urls field points at an attacker host; regclient follows it and may attach credentials (CVE-2026-49349). Relevant if you use regclient in CI to copy or inspect images from registries you don't fully control. Upgrade, and where possible disable foreign-blob URL following or allowlist the hosts it may fetch from.

Chinese-speaking APT deploys new TinyRCT backdoor against Southeast Asian government and energy targets

The Hacker News covers CL-STA-1062 (per Palo Alto Networks) deploying a new custom backdoor, TinyRCT, against state-owned energy and government entities in Southeast Asia. Not a supply-chain attack — straight espionage tooling — but it's here for the usual reason: APT crews increasingly seed initial access through trusted software and update paths, so the TTPs are worth tracking even when the entry vector this time isn't a package. No action for most readers; context for threat-intel.

06:00 ET · Morning Watch

Mini Shai-Hulud / Miasma worm: cross-ecosystem spread consolidated — npm, GitHub Actions, and Go

The Hacker News pulled the week's Mini Shai-Hulud / Miasma / Hades activity into one picture: the self-replicating credential-stealer that trojanized LeoPlatform and RStreams npm packages on June 24 is now confirmed abusing GitHub Actions workflows and propagating into the Go ecosystem, so this is one worm crossing package-manager boundaries rather than three separate incidents. Nothing structurally new since Socket's writeup — same harvest-and-republish loop, same .env / cloud / CI token targets — but the cross-ecosystem confirmation matters because a Go-module or Actions-workflow compromise won't surface in an npm-only audit. If you scoped your June-24 sweep to package-lock.json, widen it: grep Actions run logs and go.mod/go.sum changes for the same window and rotate any token a poisoned build could have touched.

Nezha Monitoring: pre-auth path traversal via /dashboard prefix confusion leaks jwt_secret_key

Nezha's NoRoute fallback treats any raw URL whose string starts with /dashboard as a frontend-asset request, using strings.HasPrefix instead of a path-segment match — so /dashboard../data/config.yaml survives TrimPrefix and path.Join normalizes to data/config.yaml, handing an unauthenticated attacker the server config including jwt_secret_key (CVE-2026-53519). This is the dangerous half of yesterday's Nezha pair: leak the JWT secret and you can forge admin tokens, which chains straight into the cross-tenant terminal/file-manager hijack disclosed alongside it. If you run a reachable Nezha dashboard, upgrade now and rotate jwt_secret_key — assume the old secret is burned, since the leak is pre-auth and trivially scriptable.

gonic / Subsonic API: playlist IDOR, path traversal past an incomplete fix, and arbitrary file write

Three advisories land on gonic's Subsonic playlist endpoints: deletePlaylist/getPlaylist do no per-resource authorization, so any authenticated user can read or delete anyone's playlists (CVE-2026-49338); the maintainer's ownership-check fix is bypassable because UserID is parsed from the attacker-controlled first path segment of the playlist id with no path containment (CVE-2026-49339); and createPlaylist writes M3U content to an arbitrary absolute path while creating intermediate dirs at 0o777 (CVE-2026-49340). The middle one is the instructive shape — a security fix that derives the ownership key from the very input it's meant to constrain, so the patch reads correct but isn't. Self-hosted gonic operators should upgrade past the full cluster fix, not just the first commit, and audit for unexpected files written under the music/playlist roots.

PhpWeasyPrint: PHAR deserialization via output filename — case-insensitive phar:// bypass

php-weasyprint guarded the output filename against phar:// with a case-sensitive strpos check, but PHP stream wrappers are case-insensitive, so PHAR://, Phar:// and friends sail past it into file_exists() and trigger PHAR deserialization (CVE-2026-49286) — the exact CVE-2023-28115 pattern, reintroduced by a blacklist that forgot wrappers don't care about case. If any user-influenced value reaches the output filename, an uploaded .phar plus a crafted name becomes object injection. Upgrade; and as a rule, validate stream wrappers with a case-insensitive allowlist, never a case-sensitive denylist.

Blnk: API key authorization bypass — non-master keys can manage keys outside their scope

Blnk's API-key endpoints trusted caller-supplied owner and scope values when making key-management decisions, so a non-master key could manage another owner's keys, or mint a more-privileged key, simply by supplying different values in the request. It's a textbook confused deputy — authorization derived from the request body instead of the authenticated key's own identity. If you run Blnk as a ledger backend, upgrade and review key-management actions for any key operating outside its issued scope.

SolidInvoice: LiveComponent IDOR exposes other users' API tokens and notification transports

Four Symfony LiveComponent actions accept entity IDs without ownership checks while the matching list methods correctly filter by user, so any authenticated user inside a company can read, modify, or revoke other users' API tokens and notification-transport settings — cross-user API-token revocation among them. Same root cause that's going around this week: listing is scoped, mutation isn't. Upgrade, then rotate any API tokens that predate the fix, since same-company token disclosure is in scope.

js-toml: O(n²) CPU exhaustion parsing radix-prefixed integer literals

js-toml ≤1.1.0 parses hex/octal/binary integer literals with a hand-rolled parseBigInt loop that multiplies a linearly-growing BigInt accumulator once per digit, making it O(n²) in literal length (CVE-2026-49293) — a long 0x… literal in untrusted TOML stalls the event loop. Denial-of-service only, no code execution, but if you parse user-supplied TOML server-side it's a cheap way to peg a worker. Upgrade, or bound input size before parsing.

Statamic CMS: unsafe method invocation via collection sorting can destroy content

An incomplete fix for GHSA-4jjr-vmv7-wh4w left in-memory collection sorting unguarded, so manipulated sort parameters can invoke unintended methods and destroy content and assets (CVE-2026-49287). It's not exploitable by default — a front-end template has to pass request input straight into a tag's sort parameter — so blast radius depends on your templates. Upgrade, and grep templates for sort: parameters fed directly from request input.