v vanemmerik.ai / SUPPLY-CHAIN
Supply Chain · Watch Tuesday · 30 June 2026 End-of-day synthesis 4 watches · 10 items

From the watchtower — what crossed the wire today.

A four-times-a-day standing watch on the open-source supply chain. Each pass pulls newly disclosed CVEs, freshly catalogued KEV adds, and active attacks reported in the wild — then ranks them by severity for the day.

The story of the day — A live PyPI backdoor campaign, a coordinated node-escape pileup in Fission's serverless platform, and an SSRF in Sigstore's signing CA hit every layer from registry to trust root on the same day.

The end-of-day picture lines new disclosures up along the whole build-and-ship path, and one of them is already running in the wild. BleepingComputer surfaced a PyPI campaign — active since last November — that ships trojanized Pyrogram forks to developers building Telegram bots, giving the operator arbitrary file reads on every server that imports them.

Above the registry, the orchestration layer took the heavier hit: Fission, the Kubernetes-native serverless framework, published a coordinated batch of nine advisories today — four of them critical — all tracing to unvalidated PodSpec passthrough that lets a tenant set hostPID/hostNetwork/privileged and escape the node to own the cluster, with a webhook that only fired on create so a clean Environment could be patched dirty afterward. The trust root wasn't spared either: Sigstore's Fulcio CA disclosed an OIDC-discovery SSRF that let a malicious issuer follow cross-host redirects to substitute a poisoned JWKS into the verifier cache (CVE-2026-49478, fixed in v1.8.6). Yesterday's SimpleHelp KEV entry (CVE-2026-48558) stays hot — a second source now confirms the TaskWeaver/Djinn payloads — and npm chipped in an incomplete-fix prototype-pollution bypass in @adonisjs/bodyparser and a query-string authorization bypass in Cedar's Express middleware. The bright spot is that everything except the PyPI campaign is a coordinated disclosure shipping with fixes, and Aikido's acquisition of Root points the backport-not-upgrade model at exactly this kind of pileup.

→ Operational priority for the night if you run Fission, gate Environment CRDs behind the create-and-update webhook and upgrade before a tenant patches in hostPID — then pin Fulcio to v1.8.6, and grep your PyPI lockfiles for Pyrogram forks before tomorrow's first build.

21:00 ET · Last Watch

Open Babel: heap overflow and OOB write in SMILES/gzip parsers, patched last month

Two OSS-Fuzz-caught memory-safety bugs in Open Babel's C++ core surfaced tonight: a heap buffer overflow in the SMILES parser (CVE-2025-10996) and an overlapping-memcpy out-of-bounds write in the bundled gzip reader (CVE-2025-10995), both reachable by feeding a crafted SMILES string or compressed chemistry file to obabel or its Python/Ruby/Java/C#/PHP bindings. GHSA rates the SMILES bug high (CVSS 7.8), but both were fixed in 3.2.0 five weeks ago — this is a routine disclosure catching up to an already-shipped patch, not a live-exploit story. If you embed openbabel to parse untrusted chemistry files, confirm you're on 3.2.0+.

Risky Biz podcast: AI coding agents are raising the stakes for supply-chain security

Socket's writeup of this week's Risky Biz episode argues that AI coding agents are pulling in dependencies faster than humans can review them, widening the window for typosquats and malicious packages to land unnoticed. No new incident here, but it's the framing to keep in mind for tonight's PyPI and Fission stories — both were caught by tooling, not code review.

18:00 ET · First Watch

Malicious PyPI packages ship trojanized Pyrogram forks, backdooring Telegram-bot servers

A PyPI campaign active since last November distributes trojanized forks of Pyrogram — the popular MTProto client library — to developers building Telegram bots, planting a backdoor that lets the operator read arbitrary files on any server that imports the package. This is the live one on today's board: the malicious distributions are on the index now, and the blast radius is every bot host that pip-installed a look-alike instead of upstream. Grep your PyPI lockfiles for non-canonical Pyrogram forks, pin to the real package, and treat any bot server that pulled an unverified fork as file-read-compromised.

Fission batch-discloses node escape: unvalidated PodSpec passthrough across nine advisories

Fission, the Kubernetes-native serverless framework, published a coordinated set of nine advisories today — four critical — rooted in the same flaw: Environment CRD podSpec passthrough never validated hostPID/hostIPC/hostNetwork/hostPath/privileged, and MergePodSpec forwarded those dangerous fields straight into the generated function pods, letting a namespaced tenant escape the node and pivot to full cluster compromise (CVE-2026-50545, -50563, -50564, -50566, plus cross-namespace reference highs). The kicker is a validation gap that's textbook to miss in review — the admission webhook registered verbs=create only, so a tenant could kubectl apply a clean Environment and then kubectl patch the dangerous fields in unchallenged. Upgrade now; the fix extends the webhook to create;update and strips host namespaces, hostPath, and privileged flags at the merge layer. If you run multi-tenant Fission, audit existing Environments for already-patched-in host fields before you upgrade.

Sigstore Fulcio: OIDC-discovery SSRF allows JWKS substitution and verifier-cache poisoning

Fulcio — the certificate authority behind Sigstore keyless signing — followed cross-host redirects when fetching OIDC discovery metadata, so a compromised or malicious issuer could redirect discovery to internal-only systems (blind SSRF) and, worse, return an attacker-controlled jwks_uri that poisoned the verifier cache with a malicious key (CVE-2026-49478). An SSRF that can substitute the JWKS in a signing CA is a trust-root problem, not just an availability one — it sits exactly where the supply chain is supposed to be hardest to fake. There is no workaround: upgrade to v1.8.6, which blocks cross-host redirects and only attaches the ServiceAccount token when the request host exactly matches the configured issuer.

@adonisjs/bodyparser: incomplete fix for CVE-2026-25754 still allows prototype pollution

The prior patch for CVE-2026-25754 swapped the internal FormFields store to Object.create(null), which blocked direct __proto__ payloads but not nested ones — user.__proto__.polluted still reaches Object.prototype (CVE-2026-48795). It's exploitable remotely with a single unauthenticated multipart/form-data request under the default config, so any AdonisJS app taking file uploads is in scope. Classic incomplete-fix shape: the first patch closed the obvious path and left the nested one. Upgrade to 10.1.5 or 11.0.3.

Cedar Express middleware: query-string mismatch lets requests bypass authorization

AWS's Cedar authorization middleware for Express matched requests against action mappings using req.originalUrl (which includes the query string) while Express routes on the path alone — a divergence that lets a crafted query string steer Cedar to authorize one action while Express executes another (CVE-2026-49473). Where overlapping path prefixes carry different permission levels, that gap is a clean authorization bypass. Upgrade past 0.3 and don't lean on the middleware as the sole gate for overlapping routes; sanitize incoming paths before they reach it.

12:00 ET · Forenoon Watch

SimpleHelp CVE-2026-48558 still under active exploitation — TaskWeaver loader and Djinn Stealer in the wild

The Hacker News confirms continued in-the-wild exploitation of the SimpleHelp OIDC auth-bypass (CVE-2026-48558, CVSS 10.0) that hit the KEV catalog yesterday, with an unattributed actor chaining it to drop two previously-unreported malware families: the TaskWeaver loader and Djinn Stealer. This is the same campaign BleepingComputer surfaced yesterday, now corroborated by a second source a day into the KEV's three-day remediation window — the unauthenticated, internet-reachable RMM server remains the pivot. If you run SimpleHelp, the patch deadline is July 2: apply the fixed build now, grep OIDC logs for unauthenticated callback hits, and hunt TaskWeaver/Djinn artifacts on anything a lagging server could reach.

Microsoft.OpenApi: circular schema reference crashes the reader via stack overflow

A small OpenAPI document containing a circular schema reference triggers a stack overflow that terminates the process through Microsoft.OpenApi's public reader APIs (CVE-2026-49451), confirmed on both the JSON and YAML parsing paths. It is availability-only, but it bites any .NET service that parses untrusted OpenAPI specs — API gateways, doc generators, spec-import tooling — where a one-line malicious document is a free crash. GHSA labels it high; treat it as patch-soon if you ingest third-party specs. Upgrade to 2.7.5+ or 3.5.4+ (the 1.x line is unaffected).

Aikido acquires Root to ship backported fixes for open-source vulnerabilities

Aikido has acquired Root, whose approach is to patch open-source vulnerabilities in the version you already run rather than forcing a dependency upgrade, with critical fixes pushed back to the community for free. Backported fixes are a pragmatic answer to the upgrade-treadmill problem that leaves so much supply-chain risk unpatched — useful when a major-version bump is the real blocker. Vendor framing aside, watch how the free-tier coverage actually lands; consolidation in the OSS-security tooling space keeps accelerating.