Supply Chain · Watch Monday · 25 May 2026 End-of-day synthesis 3 watches · 6 items

From the watchtower — what crossed the wire today.

A four-times-a-day standing watch on the open-source supply chain. Each pass pulls newly disclosed CVEs, freshly catalogued KEV adds, and active attacks reported in the wild — then ranks them by severity for the day.

The story of the day — Monday after the storm: TrapDoor's narrative spreads while two Defender CVEs land on the KEV list.

The registries went quiet today, which is the shape Mondays usually take after a chaotic weekend. Sunday's TrapDoor disclosure — Socket's cross-ecosystem credential-stealer cluster spanning 34 packages and 384+ versions across npm, PyPI, and crates.io — reached mainstream coverage through The Hacker News, but no fresh package-poisoning campaigns surfaced anywhere in the watch window.

The operational story moved to endpoint security: CISA pinned two Microsoft Defender CVEs to its KEV catalog last week — a link-following local EoP (CVE-2026-41091) and a denial-of-service (CVE-2026-45498) — both with a June 3 due date, backfilled into the watch by the Forenoon pass after yesterday's triage missed them. Lazarus continued to be Lazarus; NCC Group / Fox-IT published a writeup on the RemotePE memory-only RAT staged through DPAPILoader and RemotePELoader against crypto and finance targets, a useful reference for the loader-chain pattern that downstream-of-supply-chain payloads are converging on. The Socket RSS feed recovered from this morning's Cloudflare 403, so no new Socket disclosures were quietly missed during the gap.

The defensive bright spot is the sheer absence: a full Monday in the watch window with zero new registry hijacks, zero new RCE-grade GHSA disclosures, and no fresh maintainer-account compromises — the kind of breathing room you spend hardening for the next campaign, not relaxing.

→ Operational priority for the night confirm the May Patch Tuesday Defender rollup actually applied on every Windows host before the June 3 KEV due date — the patch dashboard reports what was pushed, the agent version on the endpoint reports what stuck.

18:00 ET · First Watch

Context · Narrative · weekly roundup · The Hacker News ·added 18:00 ET

THN Weekly Recap: Linux flaws, Defender 0-days, router botnets, and supply chain chaos

The Hacker News' Monday recap pulls the week's threads together — the Defender KEV double-add gets framed as 'security products needing protection from themselves,' the TrapDoor cluster gets the supply-chain-chaos slot, and Linux kernel CVE-2026-31431 (incorrect-resource-transfer-between-spheres) gets coverage as the back-from-the-dead old bug. Worth one read if you want a single link to send the team for the week's shape; nothing in here that the watch hasn't already triaged in higher resolution.

12:00 ET · Forenoon Watch

Medium · CISA KEV · CVE-2026-41091 · added 2026-05-20 ·added 12:00 ET

CISA KEV (backfill): Microsoft Defender link-following local EoP

Surfaced this pass as backfill — CISA added Defender's link-following EoP (CWE-59, symlink follow) on May 20 and yesterday's triage missed it. Local privilege escalation on the endpoint protection agent itself; due date for federal agencies is June 3. Endpoint security products running with SYSTEM are a perennial soft target — if your Windows fleet runs Defender, confirm the May Patch Tuesday rollout actually applied on every host, not just the ones reporting in your patch dashboard. The Hacker News' weekly recap headlines this as a 'Defender 0-day,' though the KEV entry itself doesn't assert pre-disclosure exploitation.

Medium · CISA KEV · CVE-2026-45498 · added 2026-05-20 ·added 12:00 ET

CISA KEV (backfill): Microsoft Defender denial-of-service

Companion Defender KEV add from the same May 20 batch — unspecified vulnerability that allows DoS of the agent. Lower operational priority than CVE-2026-41091 above (an attacker who can already crash your EDR generally has bigger problems), but tracked together because the patch is the same operation. Don't deploy one without the other.

Context · Threat actor · DPRK · NCC Group / Fox-IT via The Hacker News ·added 12:00 ET

Lazarus deploys RemotePE — memory-only RAT staged through two loaders (DPAPILoader + RemotePELoader)

Not a registry-poisoning campaign and not strictly supply-chain — included as context because the multi-stage loader shape (decryptor → in-memory PE → C2) is exactly the post-install pattern the TrapDoor and Shai-Hulud-class npm payloads have been moving toward. If you're building detections for memory-resident stagers downstream of a poisoned dev dependency, Fox-IT's writeup is a useful reference for the loader chain to model. Targets are crypto and financial firms, so payload selection is consistent with DPRK funding objectives rather than a broad spray.

Context · Pipeline · fetch-rss.py ·added 12:00 ET

Operational note: Socket RSS feed returning HTTP 403 this pass (recovered by First Watch)

The Socket blog feed returned 403 on the Forenoon fetch — likely Cloudflare bot-protection rather than an outage. By the First Watch pass the feed was back to 200 with 10 items in window and zero matching the keyword filter, confirming the 403 was transient and that no Socket disclosures were silently missed during the gap. Logging here as a known intermittent failure mode of the pipeline — if it recurs across two consecutive passes, the fetcher should rotate User-Agent or move to direct site scraping rather than RSS.

06:00 ET · Morning Watch

Context · Narrative · npm / PyPI / crates · The Hacker News ·added 06:00 ET

TrapDoor: The Hacker News writes up the cross-ecosystem credential-stealer disclosed by Socket

Follow-on coverage of the campaign Socket disclosed yesterday — same TrapDoor cluster, 34 malicious packages and 384+ versions across npm, PyPI, and crates.io, with the earliest activity timestamped at 2026-05-22 20:20 UTC. No new IoCs in the HN piece, but it confirms the cross-ecosystem coordination and the waves-of-publication pattern Socket called out. If you read Socket's writeup yesterday, you can skip this; if you didn't, this is the readable executive summary to forward to your platform team.