v vanemmerik.ai / SUPPLY-CHAIN
Supply Chain · Watch Sunday · 12 July 2026 End-of-day synthesis 4 watches · 0 items

From the watchtower — what crossed the wire today.

A four-times-a-day standing watch on the open-source supply chain. Each pass pulls newly disclosed CVEs, freshly catalogued KEV adds, and active attacks reported in the wild — then ranks them by severity for the day.

The story of the day — A rare all-quiet stretch: three straight passes today turned up nothing new, leaving yesterday's jscrambler MCP-credential infostealer as the only thread still worth chasing.

Three consecutive passes — Morning, Forenoon, and this First Watch — came back empty. No newly-catalogued CISA KEV entries since Friday's Balbooa Forms and iCagenda additions, no in-scope GHSA disclosures in the last 26 hours, and nothing from the RSS sweep across Phylum, Socket, The Hacker News, BleepingComputer, or Aikido that matched the supply-chain filter.

That leaves yesterday's jscrambler npm compromise as the only live thread. Socket's five-release timeline — a Rust infostealer that specifically targeted Claude Desktop, Cursor, and other MCP server configs alongside cloud and wallet credentials — hasn't produced a follow-up disclosure or confirmed victim count today, which reads more like a contained incident than a resolved one. Separately, two Joomla-extension KEV entries from Friday — Balbooa Forms and iCagenda, both unauthenticated file-upload-to-RCE bugs — hit their CISA remediation due date tomorrow.

→ Operational priority for the night confirm jscrambler 8.14.0/8.16.0/8.17.0/8.18.0/8.20.0 is fully purged and every reachable MCP, cloud, and wallet credential rotated on any machine that touched it, then close out Balbooa Forms and iCagenda patching before tomorrow's BOD 26-04 due date.