Monday's signal is the infostealer, and the through-line is the trusted channel each one rode in on. Today's payloads did not arrive through novel exploits so much as through software estates already granted standing trust — package registries, remote-support tooling, identity servers, and now browser-extension auto-update.
JFrog traced two hijacked npm packages and a cluster of Go packages that drop a cross-platform Python infostealer, firing through VS Code workspace tasks (.vscode/tasks.json) rather than npm lifecycle hooks — a deliberate dodge around npm v12's install-script hardening, which is the quiet bright spot: the new control works well enough that attackers had to reroute. The day's operational anchor is SimpleHelp: CISA catalogued the OIDC signature-bypass flaw (CVE-2026-48558) into the KEV list today with a three-day due date of July 2, confirming the active exploitation BleepingComputer reported this morning dropping the new Djinn stealer — a one-to-many pivot through MSP RMM. OpenAM shipped 16.1.1 to close a three-bug identity-server cluster: an authenticated Groovy-sandbox RCE, OAuth client impersonation via the JWKS cache, and PKCE verification skippable on a default install.
Late escalation at 21:00 ET: two more high-severity items landed after the 18:00 synthesis, and both extend the day's pattern rather than break it. Socket documented Chrome and Firefox ‘free VPN’ extensions that shipped clean and then turned malicious through later updates to add clipboard stealers — the trusted-channel thesis carried onto the browser-extension update channel. Alongside it, GitHub published a reviewed advisory for an unauthenticated DQL-injection flaw in Dgraph's GraphQL layer (CVE-2026-44840, CVSS 7.5) that the earlier mutation-injection patches do not cover, with no fixed release listed yet.
→ Operational priority for the night patch SimpleHelp servers before CISA's July 2 KEV deadline (or pull them off the internet until you can), grep developer and CI checkouts for unexpected .vscode/tasks.json, schedule the OpenAM 16.1.1 upgrade for any realm running server-side scripts or private_key_jwt clients, and gate any internet-reachable Dgraph GraphQL endpoint behind auth/network controls until a patched build ships.