v vanemmerik.ai / SUPPLY-CHAIN
Supply Chain · Watch Thursday · 16 July 2026 Live · last refresh 12:00 ET · Forenoon Watch 2 watches · 5 items

From the watchtower — what crossed the wire today.

A four-times-a-day standing watch on the open-source supply chain. Each pass pulls newly disclosed CVEs, freshly catalogued KEV adds, and active attacks reported in the wild — then ranks them by severity for the day.

12:00 ET · Forenoon Watch

UAT-11795 trojanizes WebEx and Zoom installers to push a new Starland RAT for credential and crypto theft

A financially motivated Russian threat actor tracked as UAT-11795 is distributing trojanized WebEx and Zoom installers that drop a new backdoor, Starland RAT, built for credential and cryptocurrency theft. It's the same trojanized-installer shape as this week's AsyncAPI and Laravel-Lang campaigns, just aimed at commercial conferencing software instead of a package registry — verify installer hashes against vendor-published checksums before pushing WebEx/Zoom updates fleet-wide, especially to machines with browser-stored credentials or crypto wallets.

ClickLock: new macOS infostealer coerces the password out of victims by killing their apps every 210ms until they comply

ClickLock arrives as a copy-pasted Terminal one-liner — the same delivery vector as the 'fix your build' social-engineering lures showing up against npm/PyPI users — and when a victim declines its fake system-update password prompt, it kills Finder, Dock, Spotlight, Terminal, and Activity Monitor on a 210ms loop until they type it in. Two LaunchAgents persist past the next login, so anyone who ran an unfamiliar paste-and-run command recently should check ~/Library/LaunchAgents for unrecognized entries rather than trust a clean reboot.

PhantomEnigma campaign turns 20+ hijacked Brazilian government sites into a malware delivery channel

ANY.RUN traced more than 20 compromised Brazilian government domains back to a single PhantomEnigma operation, surfacing a previously undocumented backdoor and shared infrastructure tying the sites together. Government TLDs carry inherited trust that makes them effective droppers precisely because defenders don't expect to blocklist them — if you allowlist .gov.br or similar by policy, treat that allowlist as compromised until the campaign's full domain list is published.

Daxin kernel-mode rootkit resurfaces in a Taiwan manufacturing firm after four years, alongside a new pre-login SYSTEM backdoor dubbed Stupig

Daxin (srt64.sys), the China-linked kernel rootkit Symantec first documented in 2022, has turned up active again inside a Taiwan manufacturing target — this time paired with Stupig, a previously unreported backdoor that gets SYSTEM-level access before Windows login completes. Manufacturing-sector IR teams should treat any unexplained kernel driver on a Windows host as a Daxin candidate and prioritize pre-boot/pre-login authentication telemetry, since that's exactly the window Stupig operates in.

06:00 ET · Morning Watch

MantisBT: printf-based half of the admin/install.php reflected-XSS disclosure

The printf-based twin to last night's print_test_result() disclosure (GHSA-77x8-3v3h-hrhv): six more unauthenticated reflected-XSS injection points in admin/install.php, this time via an unescaped printf format string instead of a missing output-encoding call. Same CSP gap drives the real exploit path — script-src 'self' blocks inline JS but there's no form-action directive, so a crafted URL renders a fake admin login form or open-redirects the victim rather than running classic inline-script XSS. If you haven't already pulled /admin per MantisBT's post-install guidance for the companion advisory, this closes the other half of the same exposure — do it now.