v vanemmerik.ai / SUPPLY-CHAIN
Supply Chain · Watch Sunday · 28 June 2026 End-of-day synthesis 4 watches · 4 items

From the watchtower — what crossed the wire today.

A four-times-a-day standing watch on the open-source supply chain. Each pass pulls newly disclosed CVEs, freshly catalogued KEV adds, and active attacks reported in the wild — then ranks them by severity for the day.

The story of the day — A quiet day on the registries threw the week's real shift into relief: both of today's disclosures weaponize the AI coding agent's auto-trusted setup surface — repo configs and MCP definitions — rather than any poisoned package.

The registry worms that defined the week — Miasma / Mini Shai-Hulud — went quiet overnight, with no new npm or ecosystem hits published since the June 26 @immobiliarelabs compromise. That lull let the day's real pattern surface.

Both of today's disclosures attack the same new surface: the AI coding agent's auto-trusted configuration. Researchers showed a GitHub repo that scans clean to security tools, human reviewers, and the agent itself, yet drives an agentic coding tool to execute a hidden payload during a routine clone-and-set-up. Hours later, Wiz's CVE-2026-12957 (CVSS 8.5, now patched) in Amazon Q Developer showed the production version of the same idea — a malicious repo running commands and exfiltrating a developer's cloud credentials through checked-in MCP server definitions. Neither ships in a published package; both exploit the trust an agent places in "just set this repo up." The one bright spot is defensive: npm's new 72-hour publish cooldown after risky account changes is a structural answer to the harvest-then-republish worms, breaking the "immediately" those campaigns depend on.

→ Operational priority for the night confirm Amazon Q Developer is on the patched build, and treat any agent-initiated shell execution from an unreviewed repo as an untrusted-input boundary — sandbox the clone, and do not let the agent run setup scripts you have not read yourself.

06:00 ET · Morning Watch

Clean-looking GitHub repo tricks AI coding agents into executing a hidden payload

Researchers demonstrated an attack where a GitHub repository that scans clean to security tools, human reviewers, and the agent itself causes an agentic coding tool to execute a malicious payload during a routine clone-and-set-up task. The novelty is the target: the malware never ships in a published package, it weaponizes the trust an autonomous coding agent places in "just set this repo up" — README, config, and setup-hook content the agent reads and acts on, but a dependency scan never inspects. If your team points Claude Code, Cursor, Amazon Q or similar at untrusted repos, treat agent-initiated shell execution as an untrusted-input boundary: sandbox the clone and don't let an agent run setup scripts from a repo you haven't reviewed yourself.

Amazon Q Developer flaw (CVE-2026-12957, CVSS 8.5): malicious repo runs code and steals cloud creds via MCP configs

Wiz disclosed CVE-2026-12957 (CVSS 8.5) in Amazon Q Developer: a malicious repository could run commands and exfiltrate a developer's cloud credentials through how Q handled Model Context Protocol (MCP) server definitions — the developer opens the repo, trusts the workspace, and Q does the rest. This is the same shape as the clean-repo agent attack above: the AI dev tool's auto-loaded config surface, here MCP server configs checked into the repo, is the injection point, not any dependency. Amazon has patched it; if you run Q Developer, confirm you're on the fixed build and review which repositories were opened-with-trust before the patch landed.

npm adds a 72-hour publish freeze after risky account changes

npm now imposes a 72-hour cooldown on high-impact accounts after risky changes — email, password, or 2FA updates trigger a freeze during which publishing is blocked, narrowing the window between an attacker stealing a maintainer's credentials and pushing a poisoned release. This is a direct structural answer to the Shai-Hulud / Miasma pattern, where the whole attack is compromise-the-account-then-immediately-republish; a mandatory cooldown breaks the "immediately." It runs alongside trusted and staged publishing rather than replacing them — worth knowing if you maintain a high-download package, since a legitimate credential rotation will now also pause your own releases for three days.

Status: Mini Shai-Hulud / Miasma worm feeds quiet overnight

Status check on the Mini Shai-Hulud / Miasma / Hades worm that ran all week: the Socket and Hacker News feeds went quiet overnight, with no new ecosystem or package additions published since the June 26 @immobiliarelabs npm hit. That's a lull, not an all-clear — the self-replicating harvest-and-republish loop is unattended infrastructure that can resume without a fresh writeup, so hold yesterday's sweep posture (npm lockfiles, GitHub Actions run logs, go.mod/go.sum, rotated CI and cloud tokens) in place rather than standing it down.