Supply Chain · Watch Wednesday · 03 June 2026 End-of-day synthesis 4 watches · 15 items

From the watchtower — what crossed the wire today.

A four-times-a-day standing watch on the open-source supply chain. Each pass pulls newly disclosed CVEs, freshly catalogued KEV adds, and active attacks reported in the wild — then ranks them by severity for the day.

The story of the day — A public VS Code / github.dev one-click token steal and a triple-critical RCE chain in Jupyter Enterprise Gateway land in the same 48-hour window CISA pushes four bugs to the KEV catalog and Wordfence logs hundreds of active hits on Kirki.

The day's shape is developer-environment first. A working PoC for a one-click VS Code / github.dev OAuth-token steal — which yields read/write on every private repo the victim can reach, plus desktop RCE on the same chain — went public yesterday with no Microsoft patch in sight. Hours later GitHub published three critical advisories against Jupyter Enterprise Gateway: a Jinja2 SSTI in the Kubernetes manifest renderer, a YAML-manifest injection in the same path, and a bypass of the prohibited-UID/GID check, all of which give attackers code execution and the cluster service-account token on multi-tenant JEG deployments.

Underneath that, CISA is moving. Four bugs have been added to the KEV catalog in 48 hours — Oracle WebLogic T3/IIOP (due tomorrow), Linux kernel cgroups v1 release_agent, Android Framework integer overflow, and as of today an unauth PHP-deserialization RCE in Mirasvit's Magento cache warmer. Kirki, the WordPress customizer plugin on 500k+ sites, is in active mass-exploitation with Wordfence blocking hundreds of hits per day on the same unauth admin-takeover flaw covered in this morning's pass. Gamaredon (FSB) is using a WinRAR path-traversal to drop GammaWorm against Ukrainian targets — the targeting is narrow but the unpatched WinRAR shape sits in plenty of CI artifact pipelines. The defensive bright spot is small: Wordfence is catching Kirki at the edge for customers who pay them, which is exactly the kind of telemetry-first defence Aikido's analysis today argues EDR and forward-proxies don't replicate for npm-install-time attacks.

→ Operational priority for the night patch WebLogic T3/IIOP (KEV due tomorrow), push Kirki 6.0.7 to every WordPress fleet you own, and disable Jupyter Enterprise Gateway's Kubernetes mode (or take the gateway down) until 3.4.x lands.

21:00 ET · Last Watch

Medium · GitHub Security Advisories · 2026-06-03 ·added 21:00 ET

Froxlor hosting control panel: API authentication bypasses 2FA — GHSA-f9rx-7wf7-jr36 (GHSA-rated high; medium here)

Late-evening GHSA: Froxlor's `FroxlorRPC::validateAuth` accepts an API key+secret pair without ever checking the user's TOTP, even on accounts where 2FA is enforced for the web UI. An attacker holding a leaked key+secret gets the full admin or customer API surface without a second factor. GHSA rates it high; we're listing at medium because Froxlor is a niche PHP hosting panel, exploitation requires already-leaked API credentials, and there's no active campaign — but if you run Froxlor anywhere, rotate API keys for 2FA-enforced accounts and watch the project for the patched release. Filed for completeness; doesn't change the night's operational picture.

Medium · GitHub Security Advisories · 2026-06-03 ·added 21:00 ET

aiohttp CVE-2026-47265: per-request `cookies` parameter leaks across cross-origin redirects

GHSA-hg6j-4rv6-33pg covers a defensive defect in aiohttp's redirect handling: cookies supplied via the per-request `cookies=` kwarg are forwarded after a cross-origin redirect, so an attacker who controls a redirect target can capture session cookies a client thought were scoped to the original host. The workaround is to set the cookie via a `Cookie` header in `headers=` until the upstream patch (commit f54c408) lands in a release. Low operational urgency tonight, but if you use aiohttp as an outbound HTTP client and rely on `cookies=` for auth headers, audit your call sites and switch to `headers=` until the release ships.

Context · BleepingComputer · 2026-06-03 ·added 21:00 ET

Chinese-speaking actor expands to Europe with new Atlas RAT and backdoor toolset

A Chinese-speaking crimeware crew previously focused on APAC has rotated to European targets with a previously-undocumented Atlas RAT and a companion backdoor. Not a supply-chain attack by itself — initial access reporting points at phishing and edge-device exploitation, not registry or build-system compromise — but worth filing as the kind of regional pivot that often precedes a wave of opportunistic dependency abuse once the operators settle into a new target set.

18:00 ET · First Watch

Critical · CISA KEV · added 2026-06-03 ·added 18:00 ET

CISA KEV: Mirasvit Full Page Cache Warmer (Magento) unauth PHP-object deserialization → RCE — CVE-2026-45247, due 2026-06-06

CISA added CVE-2026-45247 to KEV this morning, three-day due date of June 6, ransomware-use marked Unknown. The bug is a CWE-502 deserialization of untrusted data in Mirasvit's Full Page Cache Warmer module for Magento — the module unserialises a PHP object straight out of the `CacheWarmer` cookie, so any attacker who can hit the storefront can land a POP-chain and execute code as the web user. This is the fourth KEV addition in 48 hours and the second tied to a developer/operator tool (after Linux cgroups v1, Android Framework, and Oracle WebLogic). If you run Magento 2 with the Mirasvit Cache Warmer installed, take it offline or remove the module tonight; the vendor changelog (mirasvit.com/package/changelog/?package=mirasvit/module-cache-warmer) is the patch source. Even if you don't run Magento, the broader pattern matters — KEV is now flagging mid-tier e-commerce dependencies as quickly as the big-name servers.

Critical · GitHub Security Advisories · 2026-06-03 ·added 18:00 ET

Jupyter Enterprise Gateway: three concurrent critical advisories — Jinja2 SSTI RCE, Kubernetes manifest injection, and prohibited-UID/GID bypass

GitHub published three coordinated critical advisories against Jupyter Enterprise Gateway, the multi-tenant kernel gateway used in shared JupyterHub-on-Kubernetes deployments. GHSA-f49j-v924-fx9w is Server-Side Template Injection in the Jinja2 template that renders the Kubernetes manifest — `KERNEL_*` environment variables flow into the template unsanitised, so an attacker who can set them executes Python in the gateway process and lifts the cluster service-account token. GHSA-cfw7-6c5v-2wjq is YAML manifest injection in the same path: untrusted env vars are interpolated without YAML-aware quoting, letting an attacker overwrite `securityContext` or inject extra documents to create arbitrary Kubernetes resources. GHSA-chq7-94j8-cj28 bypasses the prohibited-UID/GID guard that's supposed to stop kernels from running as root. Taken together this is a cluster-takeover chain on any JEG deployment where remote users can influence kernel-launch env vars (which is most of them by design). Patches are pending on the JEG main branch; until they ship, take Enterprise Gateway down or front it with a strict allowlist on `KERNEL_*` and pin kernel pods to a non-privileged ServiceAccount.

High · GitHub Security Advisories · 2026-06-03 ·added 18:00 ET

React Router v7 Framework Mode: prototype-pollution → RCE chain, manifest-endpoint DoS, RSC redirect XSS (three high advisories shipped together)

Three high-severity advisories landed on React Router today, all gated to Framework Mode (Remix v2.10-2.17.4 is also in scope on the first two). GHSA-49rj-9fvp-4h2h is the headline: in apps that already have a prototype-pollution sink, a crafted external request can chain into RCE on the server. GHSA-8x6r-g9mw-2r78 is a DoS against the `__manifest` endpoint via unbounded path expansion. GHSA-q5gr-... covers an XSS in the unstable RSC redirect handler that fires when an attacker controls the redirect target as a `javascript:` URL. None of these affect Declarative Mode (`<BrowserRouter>`) or pure Data Mode (`createBrowserRouter`/`<RouterProvider>`) — Framework Mode is the SSR/loader path. If you ship a React Router v7 app in Framework Mode (or Remix in the 2.10-2.17 band), upgrade as soon as the patched releases land and audit your loader code for prototype-pollution shapes; the RCE chain is two-step, but step one is more common than people think.

High · GitHub Security Advisories · 2026-06-03 ·added 18:00 ET

browserstack-runner: unauthenticated network-bound RCE via `vm.runInNewContext` in the `/_log` HTTP handler

GHSA-6vr3-7wcx-v5g5 (RCE) and GHSA-8rpw-6cqh-2v9h (arbitrary file read) hit the BrowserStack CLI test runner together. When `browserstack-runner` starts it binds an HTTP server on `0.0.0.0:8888` with no authentication; the `/_log` handler passes attacker-controlled JSON through `vm.runInNewContext()` plus `eval`, escaping the vm sandbox and executing arbitrary Node code on the host. Anyone on the same network as a running test job — a dev laptop on coffee-shop WiFi, a shared CI runner, a corp LAN with one compromised endpoint — can pop the process and pivot from there. The companion file-read advisory exposes the entire CWD on the same listener. Pin browserstack-runner to the patched release once it ships and, in the meantime, run test jobs behind a localhost-only bind or a network namespace; this is exactly the kind of dev-tool listener that nobody firewalls because it 'only listens locally,' and exactly the kind that doesn't.

Context · GitHub Security Advisories · 2026-06-03 ·added 18:00 ET

Docling document-parser sweep: five hardening advisories across HTML, LaTeX, USPTO XML, METS-GBS, and EasyOCR backends (SSRF, XXE, zip bombs, Playwright JS exec)

IBM's `docling` document parser shipped a coordinated batch of hardening fixes against backends that previously trusted document-controlled URIs and paths: `file://` access in the HTML backend, path traversal in LaTeX `\includegraphics`/`\input`, XXE in the USPTO patent backend, XXE + zip-bomb risk in the METS-GBS backend, JS-execution-on-render via the Playwright HTML backend, and unsafe zip extraction in the EasyOCR model download. None are independently catastrophic but together they describe the class of risk that any LLM-pipeline ingestion stack inherits when it accepts user-supplied documents. If you parse untrusted documents with docling — or with anything downstream of it via `docling-core` — upgrade to `2.74.1`+ on the core and the matching docling release, and treat document parsing as a sandboxed boundary, not a library call.

Context · Aikido blog · 2026-06-02 ·added 18:00 ET

Aikido: "Why EDR and proxy won't save you from supply chain malware" — the case for install-time telemetry as a distinct control

A vendor opinion piece, but a useful one: Aikido argues that EDR and forward-proxies were built around process behaviour and outbound traffic patterns that npm-install-time malware doesn't trigger — `npm install` running `postinstall` from a maintainer-account compromise looks identical to the legitimate `npm install` that ran ten minutes earlier. The piece rhymes with what Wordfence is doing for Kirki today (catching exploit traffic at the edge because they have the signatures) and with what was missing in the recent maintainer-takeover campaigns. Worth reading less for the vendor pitch than for the framing: install-time and build-time are a separate detection problem from runtime, and most orgs don't have telemetry there.

12:00 ET · Forenoon Watch

Critical · CISA KEV · added 2026-06-02 ·added 12:00 ET

CISA KEV: Linux Kernel cgroups v1 release_agent privilege escalation — CVE-2022-0492, due 2026-06-05

CISA added CVE-2022-0492 to the KEV catalog yesterday with a three-day remediation deadline (June 5), confirming active exploitation in the wild. The vulnerability is in the cgroups v1 `release_agent` feature: an attacker with the ability to create a new user namespace — which is unprivileged by default on many distributions — can write an arbitrary command path into `release_agent` and trigger it as root outside the cgroup hierarchy, yielding full host privilege escalation and container escape. This is a well-known container escape primitive that has appeared in multiple malware families and CTF-to-prod toolkits; if you run containers on Linux hosts that still have cgroups v1 mounted, this is live. Disable cgroups v1 (`cgroup_no_v1=all` kernel parameter or upgrade to a kernel config that defaults to v2-only), apply your distribution's kernel patch, and verify container runtimes are enforcing the `no-new-privileges` seccomp/AppArmor profiles. Federal agencies must act by June 5.

Critical · CISA KEV · added 2026-06-02 ·added 12:00 ET

CISA KEV: Android Framework integer overflow → code execution / LPE — CVE-2025-48595, due 2026-06-05

CISA added CVE-2025-48595 to KEV on June 2 alongside CVE-2022-0492, same three-day deadline. The flaw is an integer overflow (CWE-190) in the Android Framework layer that allows local privilege escalation to a higher-privileged process — the June 2026 Android Security Bulletin covers it. In exploitation this matters most for MDM-managed Android fleets where a malicious or compromised app can use the overflow to escape its sandbox. Google has shipped the fix in the June 1 security patch level; push your MDM profile update now and ensure devices running below the June 1 SPL are quarantined from corporate resources until patched.

Critical · CISA KEV · added 2026-06-01 ·added 12:00 ET

CISA KEV: Oracle WebLogic Server unauth network access via T3/IIOP — CVE-2024-21182, due 2026-06-04

CVE-2024-21182 is an unauthenticated remote access vulnerability in Oracle WebLogic Server (T3 and IIOP listeners) patched in the July 2024 CPU — CISA confirmed active exploitation and added it to KEV June 1 with a due date of tomorrow (June 4). The T3/IIOP attack surface on WebLogic is a perennial exploit pathway; attackers with network reach to the listener can gain full read access to WebLogic-accessible data without any credentials. If you still have WebLogic T3/IIOP exposed on non-loopback interfaces in any environment, block it at the firewall immediately and apply the July 2024 CPU or later. This is the third Oracle WebLogic KEV addition in twelve months — if your organization runs WebLogic and isn't on a current patch cadence, that's the underlying problem to fix.

High · The Hacker News / Sekoia · 2026-06-02 ·added 12:00 ET

Gamaredon (Russian APT) exploiting WinRAR path traversal CVE-2025-8088 to deliver GammaWorm + GammaSteel against Ukraine targets

Sekoia has attributed an active campaign to Gamaredon (FSB-linked, also tracked as Armageddon/Primitive Bear) exploiting CVE-2025-8088, a path traversal flaw in WinRAR, to drop a malicious HTML Application (GammaPhish) that then fetches GammaWorm for lateral movement and GammaSteel for credential/document exfiltration. Targeting is currently focused on Ukrainian government and defence organisations, but the WinRAR path traversal is the mechanism of interest here: WinRAR is ubiquitous in Windows developer environments and CI/CD artifact pipelines that unpack build artifacts from external sources. A maliciously crafted `.rar` delivered via email, artifact server, or package registry attachment can write files outside the intended extraction directory on unpatched versions. Update WinRAR to the latest release (patched), and if your CI/CD pipeline unpacks `.rar` archives from external contributors, add a path-traversal check or switch to a sandboxed extractor.

06:00 ET · Morning Watch

Critical · BleepingComputer + Cybersecurity News · 2026-06-02 ·added 06:00 ET

Public PoC for a one-click VS Code / github.dev OAuth-token steal that grants full access to every repo a victim can reach

Security researcher Ammar Askar published a full working PoC yesterday that chains five separate VS Code behaviours — the standout step is that github.com automatically POSTs an OAuth token to github.dev when you navigate between them, and that token is scoped to every repo your account can reach, not just the one you opened. From there a malicious `.ipynb` opened in the github.dev webview runs JavaScript via an `<img onerror>` inside an iframe, exfiltrates the token, and on the desktop variant escalates to full RCE because VS Code extensions have unrestricted Node.js APIs including `child_process`. This is the worst-case shape for a developer-IDE bug: zero clicks beyond the link, full read/write on every private repo the victim touches, and a desktop RCE path on the same chain. Microsoft has not shipped a fix yet; until they do, treat any link that opens VS Code or github.dev as untrusted, disable Jupyter webview rendering in VS Code for any account with broad GitHub access, and consider revoking the github.dev OAuth grant on accounts that don't actively use it (`https://github.com/settings/applications`).

Critical · BleepingComputer + Wordfence · 2026-06-02 ·added 06:00 ET

Kirki WordPress plugin (500k+ installs) actively exploited via unauth password-reset flaw — CVE-2026-8206, CVSS 9.8, patched in 6.0.7

CVE-2026-8206 is an unauth privilege-escalation bug in the Kirki page-builder / customizer plugin: the plugin's `handle_forgot_password()` REST endpoint accepts an arbitrary email address alongside a known WordPress username and rewrites the account's email to the attacker's, after which the attacker triggers a normal password reset and takes over the admin account. CVSS 9.8, no auth, no user interaction; affects 6.0.0 through 6.0.6 (the plugin is active on 500k+ sites and roughly 40% are still on the vulnerable range). Defiant says Wordfence blocked 222 exploit attempts against its customers in the last 24 hours, so this is already in active mass-exploitation. Not a registry compromise, but Kirki is a foundational dependency for hundreds of themes and customisation plugins — the blast radius is anywhere a theme bundles it. Upgrade to 6.0.7, or remove the plugin entirely if you can; if you have managed WordPress fleets, push the update tonight and audit admin user emails for unexpected changes since May 18.