v vanemmerik.ai / SUPPLY-CHAIN
Supply Chain · Watch Monday · 29 June 2026 End-of-day synthesis 4 watches · 9 items

From the watchtower — what crossed the wire today.

A four-times-a-day standing watch on the open-source supply chain. Each pass pulls newly disclosed CVEs, freshly catalogued KEV adds, and active attacks reported in the wild — then ranks them by severity for the day.

The story of the day — Infostealers keep arriving through trusted channels — hijacked npm/Go packages, a KEV-listed SimpleHelp auth bypass, and a late wave of clipboard-stealing browser extensions — while OpenAM and Dgraph patch server-side identity and injection flaws.

Monday's signal is the infostealer, and the through-line is the trusted channel each one rode in on. Today's payloads did not arrive through novel exploits so much as through software estates already granted standing trust — package registries, remote-support tooling, identity servers, and now browser-extension auto-update.

JFrog traced two hijacked npm packages and a cluster of Go packages that drop a cross-platform Python infostealer, firing through VS Code workspace tasks (.vscode/tasks.json) rather than npm lifecycle hooks — a deliberate dodge around npm v12's install-script hardening, which is the quiet bright spot: the new control works well enough that attackers had to reroute. The day's operational anchor is SimpleHelp: CISA catalogued the OIDC signature-bypass flaw (CVE-2026-48558) into the KEV list today with a three-day due date of July 2, confirming the active exploitation BleepingComputer reported this morning dropping the new Djinn stealer — a one-to-many pivot through MSP RMM. OpenAM shipped 16.1.1 to close a three-bug identity-server cluster: an authenticated Groovy-sandbox RCE, OAuth client impersonation via the JWKS cache, and PKCE verification skippable on a default install.

Late escalation at 21:00 ET: two more high-severity items landed after the 18:00 synthesis, and both extend the day's pattern rather than break it. Socket documented Chrome and Firefox ‘free VPN’ extensions that shipped clean and then turned malicious through later updates to add clipboard stealers — the trusted-channel thesis carried onto the browser-extension update channel. Alongside it, GitHub published a reviewed advisory for an unauthenticated DQL-injection flaw in Dgraph's GraphQL layer (CVE-2026-44840, CVSS 7.5) that the earlier mutation-injection patches do not cover, with no fixed release listed yet.

→ Operational priority for the night patch SimpleHelp servers before CISA's July 2 KEV deadline (or pull them off the internet until you can), grep developer and CI checkouts for unexpected .vscode/tasks.json, schedule the OpenAM 16.1.1 upgrade for any realm running server-side scripts or private_key_jwt clients, and gate any internet-reachable Dgraph GraphQL endpoint behind auth/network controls until a patched build ships.

21:00 ET · Last Watch

Dgraph: unauthenticated DQL injection via the checkUserPassword GraphQL query

GitHub published a reviewed high-severity advisory (CVE-2026-44840, CVSS 7.5, CWE-943) for Dgraph: the checkUserPassword GraphQL query interpolates the user-supplied password straight into a DQL checkpwd() call via fmt.Sprintf, so a double-quote character breaks out of the string literal and appends attacker-controlled DQL blocks. checkUserPassword is unauthenticated and network-reachable, so a single crafted HTTP request to the GraphQL endpoint executes injected queries server-side — schema and predicate enumeration via elevated touched_uids — and the advisory notes this is a different code path from the earlier mutation-injection fixes (CVE-2026-41327/41328), so those patches don't cover it. Affects Dgraph ≤ 25.3.3 with no fixed release listed yet; gate any internet-reachable GraphQL endpoint behind auth/network controls and watch for unexplained touched_uids until a patched build ships.

Chrome and Firefox ‘free VPN’ extensions turn malicious via update to add clipboard stealers

Socket detailed a campaign of Chrome and Firefox extensions that shipped clean as free-VPN tools and then pulled in clipboard-stealer code through later auto-updates — the same turn-trusted-then-poison shape as a hijacked package version, carried onto the browser-extension channel. It rhymes directly with today's through-line: the malicious code rode an update mechanism users had already granted standing trust, not a fresh install, making clipboard contents (wallet addresses, copied secrets) the payload target. Audit managed-browser extension allowlists for these VPN extensions and prefer force-installing pinned, vetted versions over letting the store auto-update them.

18:00 ET · First Watch

CISA adds SimpleHelp auth-bypass (CVE-2026-48558) to the KEV catalog — remediate by July 2

CISA catalogued the SimpleHelp OIDC authentication-bypass flaw (CVE-2026-48558, CWE-347) into the Known Exploited Vulnerabilities list today with an unusually tight three-day remediation due date of 2026-07-02 — the federal operational signal now confirms the active exploitation BleepingComputer reported this morning. The bug is a missing signature check: when OIDC is configured, SimpleHelp accepts identity tokens without verifying their cryptographic signature, so a remote unauthenticated attacker can forge a token with arbitrary claims and land a fully authenticated technician session, sometimes bypassing MFA along the way. SimpleHelp is privileged RMM software MSPs use as a one-to-many push channel, so treat a vulnerable server as a supply-chain pivot: apply the vendor update (security advisory 2026-05) now, and if you can't meet the KEV deadline, pull the server off the public internet until you can.

OpenAM: authenticated RCE via Groovy scripting sandbox escape

OpenAM Community Edition through 16.0.6 lets an authenticated script author break the server-side Groovy sandbox and run OS commands as the OpenAM application-server account under the default allow/deny lists (CVE-2026-47424, CWE-693). A sub-realm RealmAdmin who can edit server-side scripts crosses from realm-scoped administration to full JVM/host execution, compromising the whole OpenAM process and every realm it serves — the sandbox was the only code-level boundary. Upgrade to 16.1.1 and, until then, lock down who can author or edit server-side scripts in any realm.

OpenAM: OAuth client impersonation via JWKS resolver cache

In OpenAM through 16.0.6, the OAuth2 private_key_jwt path lets any registered client mint tokens in the name of any other client whose key is published via a jwks_uri, without holding the victim's signing key (CVE-2026-47426, CWE-287). Where open dynamic client registration is enabled, an attacker only needs any client foothold to impersonate any other across every realm the process hosts — an identity-provider trust break, not a single-app bug. Upgrade to 16.1.1 and audit dynamic-client-registration exposure if you run private_key_jwt with jwks_uri.

OpenAM: PKCE verification skippable by default

OpenAM through 16.0.6 only enforces a PKCE code_verifier when the realm-wide codeVerifierEnforced setting is on, and it ships off by default, so omitting the verifier skips PKCE checking entirely (CVE-2026-48717, CWE-285). For public clients that means an attacker who intercepts an authorization code can redeem it for tokens without the verifier — the protection PKCE exists to provide silently absent on a default install. Patched in 16.1.1; if you can't upgrade immediately, turn codeVerifierEnforced on per realm.

12:00 ET · Forenoon Watch

Critical SimpleHelp flaw under active exploitation to drop Djinn, a new cross-platform stealer

BleepingComputer reports active in-the-wild exploitation of a recently-disclosed critical SimpleHelp flaw (CVE-2026-48558) to deploy Djinn Stealer, a previously-undocumented infostealer that runs on Windows, macOS, and Linux. SimpleHelp is remote-support/RMM software that MSPs operate as a privileged push channel into downstream client estates, so an exploited server is a supply-chain pivot with one-to-many blast radius — the same shape as a compromised build agent, just on the operations side. Patch SimpleHelp server instances to the fixed release now and hunt for Djinn indicators on any host a vulnerable server can reach; if you buy managed services from a provider that runs SimpleHelp, ask them for their patch status today.

THN weekly recap — DirtyClone Linux kernel flaw, Turla backdoor, infostealer wave

THN's Monday retrospective rounds up the week's DirtyClone Linux-kernel local-privesc flaw, a Turla backdoor, and several infostealer campaigns. None of it is a fresh registry-poisoning event, but the infostealer throughline rhymes with today's hijacked-npm/Go and SimpleHelp items — credential and token theft is the consistent post-compromise payload this week. Treat it as a single readable catch-up link rather than an action item.

06:00 ET · Morning Watch

Hijacked npm and Go packages use VS Code tasks to drop a cross-platform Python infostealer

JFrog traced two hijacked npm packages and a cluster of Go packages that install a Python-based infostealer on Windows, Linux, and macOS hosts — confirmed malicious code in published, previously-trusted packages, not a PoC. The notable TTP is execution: instead of the usual npm lifecycle hooks (preinstall/postinstall), the payload fires through VS Code workspace tasks (.vscode/tasks.json), which JFrog reads as a deliberate dodge around npm v12's hardening of install-time script execution — attackers are already routing around the new control rather than abandoning it. If you pull these ecosystems into a developer or CI workspace, stop trusting "no install scripts ran" as an all-clear: grep repos and dependency checkouts for unexpected .vscode/tasks.json, and disable automatic task execution / 'trust' prompts in editors that open untrusted clones.