v vanemmerik.ai / SUPPLY-CHAIN
Supply Chain · Watch Wednesday · 01 July 2026 End-of-day synthesis 4 watches · 23 items

From the watchtower — what crossed the wire today.

A four-times-a-day standing watch on the open-source supply chain. Each pass pulls newly disclosed CVEs, freshly catalogued KEV adds, and active attacks reported in the wild — then ranks them by severity for the day.

The story of the day — A North Korea-linked campaign expanded to a fourth ecosystem and Rancher, SurrealDB, and Sigstore all dropped mass-disclosure batches — then, in the final hour before bed, two more high-severity credential-leak bugs landed in an Apify MCP server and a Postgres SCRAM client.

PolinRider — the North Korea-linked campaign Socket has been tracking — spread from npm into Packagist, Go modules, and malicious Chrome extensions today, the same loader-first playbook reused across four distribution channels at once. CISA also added a fresh SharePoint deserialization bug to KEV with a four-day clock, and Ghost CMS shipped an unauthenticated cache-poisoning XSS that can lead to staff-account takeover behind a shared cache.

The rest of the day was a disclosure pile-up: Rancher and Fleet dropped seven advisories together, three critical, including a YAML-injection bug that turns a leaked cluster-registration token into a cluster-admin DaemonSet; SurrealDB published 21 CVEs in one window, headlined by an HTTP session race that hands an unauthenticated caller a root session; and Sigstore added a fourth silent-verification bug of the day, this time in its npm client. oras-go and repomix — both pipeline tooling, not application code — separately picked up credential-forwarding and command-injection bugs. None of it has confirmed active exploitation, and every one already has a patched version — the volume is real, but it's responsible disclosure working as intended.

Late escalation at 21:00 ET: two more high-severity bugs surfaced in the pre-bed check. Apify's `actors-mcp-server` builds Actor URLs by concatenating a trusted base with an attacker-controlled path field, so a malicious published Actor can redirect the connection off-host while the client keeps attaching the caller's Apify bearer token — a live SSRF/credential-exfiltration pattern (CVSS 8.1), not a paper cut. Separately, OnGres' SCRAM client silently drops TLS channel binding when a server cert uses a modern signature algorithm, opening a MITM downgrade path for Postgres auth in deployments that require channel binding. Neither has a public exploit yet, but the Apify bug is the kind of thing worth checking before you close the laptop, especially with MCP tooling now sitting in more build and agent pipelines.

→ Operational priority for the night patch or isolate any internet-facing SharePoint before July 4; if you run Rancher/Fleet multi-tenant or SurrealDB in production, treat every permission boundary as unverified until today's patches are applied; and if anything in your stack calls Apify's actors-mcp-server against third-party Actors, upgrade past 0.10.11 before you trust that token again.

21:00 ET · Last Watch

Apify's actors-mcp-server leaks callers' Apify tokens to any attacker-published Actor via URL authority injection

`@apify/actors-mcp-server` builds an Actor's standby MCP URL by string-concatenating a trusted base URL with `webServerMcpPath`, a field the *Actor's own definition* controls; a value like `@attacker.example/mcp` gets parsed by Node's URL implementation as userinfo, so the connection silently resolves to the attacker's host while the client still attaches the caller's `Authorization: Bearer <APIFY_TOKEN>` header (CVSS 8.1). Any MCP host that calls `call-actor` or `fetch-actor-details` against a third-party Actor is exposed — the token grants full account access, including running Actors and racking up compute charges on the victim's bill. Upgrade past 0.10.11, and until then don't point actors-mcp-server at Actors you don't control.

OnGres SCRAM client silently drops TLS channel binding when a server cert uses a modern signature algorithm

`com.ongres.scram`'s `TlsServerEndpoint` swallows a `NoSuchAlgorithmException` when a server presents a cert signed with an algorithm that lacks a legacy `WITH`-suffixed name — Ed25519, post-quantum — and returns an empty channel-binding byte array; the client builder then misreads 'empty' as 'no channel binding available' rather than a crypto failure, letting a TLS MITM downgrade `SCRAM-SHA-256-PLUS` to plain `SCRAM-SHA-256`. Only bites deployments that explicitly require channel binding, e.g. pgJDBC's `channelBinding=require` — default prefer/allow policies fall back safely by design. Upgrade to scram-client/scram-common 3.3+; if you call the `ScramClient` builder directly, migrate off the deprecated `getChannelBindingData()` to `getChannelBindingHash()`.

OpenClaw's MCP SSE transport forwards Authorization headers across redirects

OpenClaw's MCP SSE transport follows redirects while continuing to attach the caller's `Authorization` header, so a reachable SSE endpoint that redirects can walk off with the caller's credentials — a same-shape bug to tonight's Apify token leak, different transport. Scoped to configurations where a lower-trust caller or input path can reach the affected feature; the trusted-operator model otherwise holds. Upgrade to 2026.6.5 and keep channel/tool allowlists narrow in the meantime.

18:00 ET · First Watch

North Korea-linked PolinRider campaign expands from npm into Packagist, Go modules, and Chrome extensions

Socket is tracking PolinRider, a DPRK-attributed supply-chain campaign that started in npm and has now spread hidden loaders into Packagist, Go modules, and malicious Chrome extensions — the same actor cluster reusing a loader-first playbook across four distribution channels at once. This is the cross-ecosystem generalization pattern security teams have been warning about since Miasma/Shai-Hulud: attackers are no longer picking one registry, they're running the same toolkit everywhere developers pull code from. If you allow unreviewed Chrome extensions or Go module proxies in your build environment, audit both against Socket's published IOCs tonight, not just npm.

CISA adds SharePoint Server deserialization bug to KEV — due July 4

CVE-2026-45659, a deserialization-of-untrusted-data flaw in on-prem SharePoint Server that lets an authorized attacker execute code over the network, joined the Known Exploited Vulnerabilities catalog today with a four-day remediation window. On-prem SharePoint deserialization bugs have a bad track record — ToolShell and last year's chain both turned into fast, wormable RCE once public exploit code landed — so patch or isolate internet-facing SharePoint before the July 4 due date, holiday weekend notwithstanding.

Rancher and Fleet disclose seven CVEs together, three critical: YAML command injection, project-to-host privesc, cross-namespace secret leak

Rancher shipped seven advisories at once. The worst is a command-injection bug where the cluster-import endpoint's unsanitized `authImage` query parameter lets an attacker with a leaked cluster-registration token break out of a YAML `image:` field and inject a `cluster-admin`, host-networked DaemonSet that deploys the moment a victim runs `kubectl apply`. Alongside it: a Project-Owner-to-host privilege escalation via Pod Security Admission label tampering, and a Fleet GitOps bug where unvalidated `valuesFrom` references let one tenant read any secret or configmap on a shared downstream cluster. Four more high/medium Fleet bugs round it out — unauthenticated webhook regex injection, a PSS-label overwrite, and Helm-repo credential forwarding via SSRF. If you run Rancher multi-tenant or use Fleet for GitOps across shared clusters, patch today: rotate any credentials Fleet may have forwarded and audit cluster-import tokens for exposure.

Ghost CMS: unauthenticated cache-poisoning XSS via x-ghost-preview header can lead to staff-account takeover

An unauthenticated request carrying a crafted `x-ghost-preview` header alters Ghost's rendered frontend response, and behind a shared cache — Fastly, Cloudflare, nginx proxy_cache — that altered response gets stored and served to every subsequent visitor of the page: classic cache-poisoning XSS, no auth required. If the admin panel and frontend share a domain this is a path to full staff-account takeover; upgrade to 6.37.0, and if you can't patch immediately, strip `x-ghost-preview` from your cache key.

Erlang's `quic` client library never actually verified TLS — signature, chain, and hostname were all skipped

The Erlang/Elixir `quic` package's client never checked the TLS 1.3 CertificateVerify signature, never validated the certificate chain, and never compared the hostname — `verify` was a documented no-op, so any on-path attacker could present any certificate and impersonate a QUIC or HTTP/3 server built on this client. Fixed in 1.4.4, where `verify` now defaults to on; if you set `verify => false` intentionally for a test harness, make sure that flag never reaches production config.

SurrealDB discloses 21 CVEs in one afternoon: unauthenticated crash bugs, an HTTP session race that hands out root, and a dozen permission bypasses

SurrealDB pushed 21 advisories in a single window, and four are the ones to fix first: an unauthenticated WebSocket message crashes the server outright (a bare `use` call hits an `.expect()` panic with `panic=abort`); a JSON-parser recursion-depth check that was patched for the expression parser but not the value parser reopens the same memory-exhaustion DoS; an HTTP `/rpc` session TOCTOU race lets an unauthenticated request inherit a concurrently-authenticated root session; and the `sessions` RPC method leaks every attached session UUID to anonymous callers for full session hijack (exposure here is scoped to clients using the `attach` flow, notably the Rust SDK's HTTP engine). The other seventeen are permission-bypass variants — LIVE queries, JSON Patch, graph traversal, composite record IDs — all defeating field- or table-level SELECT restrictions. Upgrade to 3.1.0+, and if you run multi-tenant SurrealDB, treat every permission boundary as untrusted until you've confirmed the patch.

repomix's --remote-branch argument injection gives arbitrary command execution; its MCP server has a separate file-read bypass

repomix passes `--remote-branch` straight into `git fetch`/`git checkout` via `execFileAsync` with no `--` delimiter, so an attacker-controlled branch value injects git's own `--upload-pack` flag plus an SSH or `file://` remote to get arbitrary command execution as whoever ran repomix — the existing `dangerousParams` blocklist doesn't catch it. Separately, repomix's `--mcp` stdio server (the mode AI coding assistants actually invoke) has an `attach_packed_output` + `read_repomix_output` flow that reads arbitrary local `.json/.txt/.md/.xml` files without the secret-scanning check normal file reads get. repomix is a common pack-the-repo-for-an-LLM tool — if an agent or lower-trust automation calls it with untrusted branch names or MCP tool args, upgrade past 1.14.1 now.

oras-go, the OCI-artifact client behind much of the container supply chain, discloses five bugs: credential forwarding to attacker registries, a tar hardlink escape, Bearer-token hijacking

Two of the five are pure credential exfiltration: oras-go reuses the initial `Authorization` header across a registry-controlled `Location` redirect during blob upload, so a malicious registry can redirect the second request to an attacker-controlled host and receive the caller's credentials, plus a similar cross-host forwarding path that leaks credentials on registry redirects generally; a third lets a malicious registry hijack the Bearer-token realm to exfiltrate credentials and refresh tokens. The other two are filesystem-escape bugs in tar extraction — a hardlink entry validates its target correctly but returns the unvalidated original path to the caller, and a separate symlink-traversal bug writes outside the configured working directory. oras-go underpins OCI artifact pulls for a lot of registry tooling; if anything in your pipeline pulls artifacts from a registry you don't fully control, upgrade to 2.6.2+ before the next pull.

Sigstore's JS/npm clients get their own silent-verification-bypass bugs: certificateOIDs never enforced, an unauthenticated timestamp can steer validity checks

This is the second Sigstore verification regression flagged today, after this morning's Timestamp Authority and sigstore-java bugs. The npm `sigstore` package accepts a `certificateOIDs` verification option but silently drops it before checking, so callers who believe they've pinned verification to a specific Fulcio OID are actually checking nothing beyond SAN and issuer. Separately, `@sigstore/verify` 3.1.0 derives a trust-relevant timestamp from an inclusion-proof-only tlog entry that isn't cryptographically bound to `integratedTime`, letting an attacker-supplied bundle influence certificate-validity checks. Four independent Sigstore-ecosystem verification bugs surfacing the same day is a pattern, not a coincidence — if you consume Sigstore bundles anywhere in a release pipeline, audit which client library and version you're actually running before trusting a green checkmark.

Keycloak's fine-grained admin permissions let a limited client-management admin assign any realm role, including full admin

Keycloak's FGAPv2 feature doesn't validate which realm roles a limited-scope client-management admin can assign to a client's scope mapping, so that admin can inject a highly privileged role — up to full realm admin — into a client, and it gets projected straight into any user token issued for that client. If you've delegated client management to non-superadmin operators under FGAPv2, upgrade to 26.6.4+ and audit existing scope mappings for roles nobody should have granted.

Centrifugo's dynamic JWKS cache keys on `kid` alone, letting one tenant's JWT authenticate as another

In a multi-issuer dynamic-JWKS configuration, Centrifugo's key cache and singleflight lookup are keyed only by the JWT header's `kid` — not by issuer, audience, or endpoint — so a token minted for tenant A verifies successfully against tenant B's identically-`kid`'d key if A's key was cached first. Both connection and subscription token verification share the vulnerable path; if you run Centrifugo with dynamic JWKS across multiple issuers, upgrade before treating tenant isolation as real.

goshs' WebDAV listener ignores every mode-restriction flag; a separate race lets a one-shot share link be downloaded twice

goshs enforces `--read-only`, `--upload-only`, and `--no-delete` on its primary HTTP port but wires the WebDAV listener straight to `x/net/webdav.Handler` with no equivalent guard, so a WebDAV client can PUT/DELETE/MOVE/COPY regardless of the operator's stated mode. A second bug lets a `limit=1` share-link token be redeemed by concurrent requests because the download-limit check and the increment aren't under the same lock. goshs is a quick-and-dirty file-sharing tool people spin up for ad hoc transfers — if you're using WebDAV mode or one-shot share links for anything sensitive, upgrade past 2.0.9.

06:00 ET · Morning Watch

Twig ships four residual sandbox bypasses after last month's __toString() and property-allowlist fixes

Twig 3.26.0's sandbox hardening left four gaps: the `column` filter forwards `SourcePolicyInterface` property reads without the active `Source`, so it re-evaluates as unsandboxed; and three separate `__toString()` coercion points — `Traversable` args in `join`/`replace`, dynamic array-mapping keys, and deprecated legacy wrapper functions — skip the new `CheckToStringNode` guard entirely. Twig is the default templating engine for Symfony and a common choice for user-authored template features (themes, email templates, low-code builders); any app that sandboxes untrusted Twig should treat these as full bypasses until patched. Upgrade past 3.26.0 and re-audit any `SourcePolicyInterface` property allowlist that assumed the prior fix held.

Paymenter checkout lets any user provision premium hosting plans at base price via URL params

Paymenter's `Checkout` Livewire component exposes `$checkoutConfig` as a URL-writable property, and bundled server extensions trust user-supplied provisioning parameters over admin-configured plan limits — so an authenticated user can inject arbitrary key-value pairs into the checkout URL and provision resources beyond what they paid for (CVSS 8.5). The same release also has a credit-double-spend bug: `payWithCredit()` takes its row lock outside the enclosing transaction, so MySQL/MariaDB never actually enforces it, letting concurrent requests pay multiple invoices from one credit balance. Paymenter runs billing for hosting resellers — patch to 1.5.1+ for the checkout bypass and confirm the credit lock is transaction-wrapped before trusting balances.

Kahi process supervisor: three privilege/permission bugs, including a silent privilege-drop failure

A full-codebase review of Kahi (an early-stage Go process supervisor) found that `user = "uid:gid"` config was resolved but never attached to the spawned child — so a process meant to drop to a low-privilege user instead inherited the supervisor's own privileges, root if the supervisor runs as root. Two related socket/log permission issues shipped alongside it. Kahi is pre-1.0 (alpha.8) so exposure is limited, but if you're piloting it as a privilege-drop boundary, upgrade to v0.1.0-alpha.9 before relying on the `user` directive for anything security-sensitive.

oban_web dashboard: any authenticated user can hijack queued jobs; malicious cron strings can OOM the node

oban_web 2.12.0–2.12.4 has two bugs worth pairing: a missing authorization check on the `save-job` LiveView handler lets any authenticated dashboard user — including read-only accounts — rewrite a queued job's worker module, so Oban executes attacker-chosen code on the next run; and an unvalidated cron-range parser lets an expression like `0 0 1-100000000 * *` allocate gigabytes of memory the moment anyone views the cron list, crashing the BEAM node. If you run oban_web with any multi-user dashboard access, upgrade to 2.12.5 and treat read-only accounts as having had write access until you do.

Sigstore Timestamp Authority and Java client both got quiet fixes this week

Two unrelated Sigstore-ecosystem bugs surfaced together: the Timestamp Authority's Prometheus middleware records raw, unbounded request paths as metric labels, so an unauthenticated attacker can OOM the server by hitting arbitrary 404 paths; and sigstore-java 2.0.0 had a regression that dropped verification of Rekor's `integratedTime` against the Fulcio certificate's validity window, silently weakening bundle verification. Sigstore underpins keyless signing for cosign and sigstore-python — patch the TSA past 2.0.6/1.2.9, and if you pinned sigstore-java at exactly 2.0.0, move off it now.

CefSharp.Common path-boundary check uses a prefix match, letting requests escape the configured root folder

`FolderSchemeHandlerFactory` in CefSharp.Common validated served-file paths with `filePath.StartsWith(rootFolder)` instead of a proper boundary check, so a sibling directory whose name happens to start with the root folder's path string passes the filter — a classic path-prefix bypass. CefSharp embeds Chromium in .NET desktop apps; if you use its folder scheme handler to serve local content, upgrade to 148.0.90+ before trusting the root-folder sandbox.

Probo's redirect validator only checks the second character of the path — enough for an OAuth open redirect

Probo's `saferedirect` package, used across its OIDC/SAML/OAuth and magic-link auth flows, only inspected the second character of relative paths, so `/../\evil.com` passes validation (second char is `.`) and Go's `http.Redirect` normalizes it to `/\evil.com` — which browsers interpret as a host separator, redirecting to `evil.com`. Any auth flow that echoes a redirect target is a phishing pivot; upgrade to 0.204.0+ and grep your own redirect validators for the same second-character-only pattern.

GHSA backfills two old, already-patched RabbitMQ advisories — no new action needed

Two RabbitMQ DoS bugs appeared in today's GHSA feed with fresh timestamps but old CVE numbers: unbounded HTTP API message size (CVE-2023-46118, fixed in 3.12.7) and a predictable credential-obfuscation seed in the Shovel/Federation plugins (CVE-2022-31008, fixed in 3.10.2/3.9.18/3.8.32). Both were patched years ago — flagging only because they surfaced in the ingest window; no action needed if you're on a remotely current RabbitMQ release.