Supply Chain · Watch Thursday · 04 June 2026 End-of-day synthesis 3 watches · 20 items

From the watchtower — what crossed the wire today.

A four-times-a-day standing watch on the open-source supply chain. Each pass pulls newly disclosed CVEs, freshly catalogued KEV adds, and active attacks reported in the wild — then ranks them by severity for the day.

The story of the day — Two self-propagating npm worms hit the registry the same day a triple-critical SSTI flaw turns Jupyter's Kubernetes gateway into full cluster takeover.

The registry ran a worm double-feature today. IronWorm planted infostealers across 36 npm packages, and a back-dated disclosure confirmed @cap-js/[email protected] — live since May 19 — has been harvesting npm tokens, cloud keys, SSH keys and GitHub PATs while trying to spread itself.

Both worms share one goal: scrape every credential the install host can see, then move. If either package, or an unaudited lock file that resolved to them, touched a CI runner this fortnight, assume those secrets are already gone. Away from the registry the heaviest server-side bug is a triple-critical cluster in Jupyter Enterprise Gateway, where untrusted KERNEL_* environment variables flow unescaped into Kubernetes manifests and Jinja2 templates — SSTI-to-RCE plus a service-account-token path to full cluster takeover. browserstack-runner's unauthenticated 0.0.0.0 RCE and a cryptominer-laced build of Hola Browser round out a day themed on trusted developer and operator tooling turned hostile. The bright spot is disclosure discipline: every one of these arrived with a fixed version already published, so remediation is upgrade-and-rotate, not wait-for-a-patch.

→ Operational priority for the night grep your lock files and CI image history for @cap-js/openapi and the IronWorm package set, and rotate every credential reachable from any runner that resolved them since mid-May before you touch anything else.

18:00 ET · First Watch

Critical · GHSA-jpvj-wpmj-h7rv · 2026-06-04 ·added 18:00 ET

Supply-chain compromise: malicious @cap-js/[email protected] harvested credentials and self-propagated (GHSA-jpvj-wpmj-h7rv, CVSS 9.6)

On May 19 a compromised @cap-js/[email protected] (an SAP CAP framework plugin) was published to npm; today's advisory (CVSS 9.6) confirms it harvested every credential reachable on the install host — npm tokens, cloud provider keys, SSH keys, GitHub PATs — and attempted to self-propagate. This is the second confirmed self-propagating npm worm on the page today: same payload goal as IronWorm, different package, and it has been live for over two weeks. Upgrade to @cap-js/openapi >= 1.4.2, and if 1.4.1 ever touched a developer machine or CI runner, treat every credential on it as burned and rotate now — npm tokens and cloud keys first.

Critical · GHSA-f49j-v924-fx9w / GHSA-cfw7-6c5v-2wjq / GHSA-chq7-94j8-cj28 · 2026-06-04 ·added 18:00 ET

Jupyter Enterprise Gateway: triple-critical SSTI / K8s manifest injection / UID-GID bypass — untrusted KERNEL_* env vars to full cluster takeover

Three critical advisories landed together for Jupyter Enterprise Gateway, all rooted in the same flaw: untrusted KERNEL_* environment variables are interpolated into Kubernetes manifests with no YAML-aware escaping or template sandboxing. The worst (GHSA-f49j-v924-fx9w) is Jinja2 SSTI that executes Python and OS commands inside the gateway service and can steal its Kubernetes service-account token to schedule a privileged pod and own the whole cluster; a companion bug (GHSA-chq7-94j8-cj28, CVSS 9.8) bypasses the prohibited-UID/GID guard to launch root kernels, and a third (GHSA-cfw7-6c5v-2wjq) allows arbitrary multi-document YAML injection. If you run Enterprise Gateway on Kubernetes in a shared or multi-tenant cluster, patch now and audit exactly who can set kernel environment variables.

High · GHSA-6vr3-7wcx-v5g5 (CVSS 8.8) / GHSA-8rpw-6cqh-2v9h · 2026-06-04 ·added 18:00 ET

browserstack-runner: unauthenticated RCE via vm-sandbox escape on 0.0.0.0:8888, plus path-traversal arbitrary file read

browserstack-runner starts an HTTP server on 0.0.0.0:8888 with no authentication; its /_log handler pipes the request body straight into vm.runInNewContext() combined with eval(), handing any network-adjacent attacker remote code execution on the host (CVSS 8.8), and a second bug lets the same unauthenticated attacker read arbitrary files via path traversal. This runs on CI machines that typically hold signing keys and deploy credentials. Upgrade, and until you do, never run browserstack-runner on a shared CI network segment — bind it to localhost or firewall port 8888.

High · BleepingComputer · 2026-06-04 ·added 18:00 ET

Hola Browser for Windows compromised to deliver a cryptominer

Hola Browser for Windows was compromised to ship a cryptominer to its users — a legitimate, distributed application turned into a malware delivery channel, the same trust-inversion shape as a poisoned package but one layer up, at the installed-software tier. If Hola Browser is present anywhere in your fleet, treat the host as compromised: pull the app, hunt for the miner process and its persistence, and check egress logs for mining-pool traffic.

Medium · GHSA-4p62-hqp5-g644 · 2026-06-04 ·added 18:00 ET

MCP-for-Stata: command injection via log_file_name parameter the guard never validates (GHSA-4p62-hqp5-g644)

MCP-for-Stata interpolates the log_file_name parameter directly into a Stata command string with no sanitization, and its GuardValidator only inspects do-file content — so an attacker can smuggle shell, python, or erase commands through the filename. It's a niche academic tool, but it's another data point in the widening MCP-server attack surface: these wrappers keep shipping injection bugs because the guard rails watch the wrong field. If you expose any MCP server to untrusted input, audit every parameter that reaches a shell or interpreter, not just the obvious payload field.

Context · BleepingComputer · 2026-06-04 ·added 18:00 ET

Chinese threat actor deploys new Atlas RAT in European cyberattacks

BleepingComputer reports a Chinese threat actor deploying a new 'Atlas RAT' against European targets. Not a registry supply-chain attack, but tracked here as threat-actor context — RATs on developer and operator machines are exactly how the initial access for a later supply-chain compromise gets established.

12:00 ET · Forenoon Watch

Critical · BleepingComputer · 2026-06-04 ·added 12:00 ET

IronWorm infostealer active in 36 npm packages — confirmed supply-chain attack

A new supply-chain campaign named IronWorm has planted infostealer malware in 36 npm packages — confirmed active in the registry at time of publication. This is the textbook critical threshold: malicious packages distributed through a legitimate package manager. Until the specific package names and versions are public and npm yanks the affected releases, treat any npm install run in the last 24-48 hours against an unaudited lock file as potentially affected. Run `npm audit` now; watch for advisories naming IronWorm-linked package IDs and rotate any secrets that may have been exfiltrated from affected CI environments.

High · GHSA · CVE-2026-44486 / CVE-2026-44487 / CVE-2026-44488 / CVE-2026-44496 · 2026-06-04 ·added 12:00 ET

Axios: four simultaneous advisories — proxy-auth credential leak (×2), fetch-adapter size bypass, and ReDoS

Four advisories for axios dropped together today, the most operationally urgent being two distinct proxy credential leak paths: in the Node.js HTTP adapter, a `Proxy-Authorization` header is forwarded to the redirect target when the proxy is re-evaluated to a direct connection (CVE-2026-44486), and when an HTTP proxy redirects to an HTTPS origin (CVE-2026-44487). Any backend service that runs axios behind an authenticated proxy and follows redirects may be silently handing your proxy credentials to third-party servers. The fetch-adapter vulnerability (CVE-2026-44488) silently ignores configured `maxContentLength`/`maxBodyLength` limits, enabling unbounded response reads. The ReDoS (CVE-2026-44496) requires an attacker-controlled XSRF cookie name. Upgrade to axios 1.16.0+ (1.x) or 0.32.0+ (0.x). Grep your Node.js services for `httpsAgent`/`proxy` config combined with `maxRedirects > 0` — those are the at-risk call sites.

High · GHSA-c27g-q93r-2cwf · CVE-2024-52011 · 2026-06-04 ·added 12:00 ET

launch-editor (bundled in vite) command injection on Windows — unauthenticated dev-server RCE

launch-editor, bundled directly into vite's dev server for the "open in editor" feature, builds a shell command from the `file` argument without sanitizing shell metacharacters on Windows. An attacker with any network reach to the vite dev server can pass a crafted filename to run arbitrary commands as the developer's user account — no authentication, no other interaction. The CVE number (CVE-2024-52011) is a 2024 assignment, suggesting the issue was known internally before today's advisory; update vite to pick up a patched launch-editor. If you cannot patch immediately, ensure your vite dev server binds to `127.0.0.1`, never `0.0.0.0`, and is not exposed across VPNs or shared LAN segments.

High · The Hacker News · 2026-06-04 ·added 12:00 ET

Large-scale campaign clones open-source project sites, ranks on Google, delivers Remus Stealer / AnimateClipper via TDS

A documented large-scale campaign builds convincing clones of OSS project portals, optimizes them for SEO until they outrank the genuine project on Google, then routes victims through a Traffic Distribution System that fingerprints the browser before delivering Remus Stealer, AnimateClipper, or the SessionGate framework. This is supply-chain-adjacent in the same way as typosquatting: developers searching for a package's homepage, changelog, or install instructions are the target. Verify that any OSS download comes directly from the project's canonical domain (PyPI, npm, crates.io, the GitHub release page) — not from a search-result site that merely looks right.

High · The Hacker News / Unit 42 · 2026-06-04 ·added 12:00 ET

FlutterShell backdoor — macOS malvertising via Google and YouTube ads (Operation FlutterBridge)

Unit 42 traces Operation FlutterBridge to the JSCoreRunner / FileRipple cluster first seen in August 2025 — now expanded to macOS with a new backdoor (FlutterShell) distributed via Google and YouTube malicious ads. The delivery path (paid ad → fake download → backdoor installation) targets developers specifically because they frequently search for and install tooling found via Google. This is not a supply-chain attack on a registry, but it's the same developer machine that later runs `npm install` or `pip install` with elevated trust. macOS teams should verify that Google Safe Browsing is active, that browser download warnings are not suppressed, and that new binaries require explicit Gatekeeper approval before execution.

High · GHSA-rxv8-25v2-qmq8 · CVE-2026-34077 · 2026-06-04 ·added 12:00 ET

React Router v7 / Remix: additional DoS via reflected user input in single-fetch serialization (CVE-2026-34077)

A second DoS path in React Router v7 Framework Mode (and Remix 2.9.0+ with Single Fetch) disclosed today: the turbo-stream serialization layer degrades under specific data shapes reflected from user input into server responses, making it a resource-exhaustion vector distinct from yesterday's `__manifest` endpoint issue. Patch to React Router 7.14.0 or Remix 2.18.0. If you already patched for yesterday's cluster, verify the new version addresses this advisory as well — the same patch release covers both.

High · GHSA-cq3f-vc6p-68fh · CVE-2026-45337 · 2026-06-04 ·added 12:00 ET

Better Auth: device authorization flow accepts wrong session during code verification (CVE-2026-45337)

better-auth 1.6.0–1.6.10 with the `deviceAuthorization` plugin enabled will accept the approve/deny action from any authenticated session — not just the session of the user who initiated the device flow — while a user code is pending. An attacker who can observe a pending user code (e.g., shoulder-surfing, shared screen, or intercepted display) can authorize a device under a different user's identity. Upgrade to 1.6.11. If you use better-auth in a CLI-tool auth flow or TV/limited-input device login, this is the at-risk path.

High · GHSA-m8xg-8xg9-mxhm · CVE-2026-45730 · 2026-06-04 ·added 12:00 ET

Nuclio: any authenticated user can modify or delete any project via missing OPA authorization on write paths (CVE-2026-45730)

Nuclio's Dashboard API (the serverless / ML-function orchestrator) skips OPA authorization checks on `PUT /api/projects/{id}` and `DELETE /api/projects`, meaning any authenticated user — regardless of project membership — can modify or delete any project along with its functions and API gateways. CVSS 8.3. In multi-tenant Nuclio deployments, this is a full tenant-isolation break. Patch immediately; until then, restrict Dashboard access to trusted networks and audit recent project modification logs for unexpected changes.

Medium · GHSA-86qp-5c8j-p5mr · 2026-06-04 ·added 12:00 ET

Starlette: missing Host header validation poisons request.url.path, enabling path-matching bypasses

Starlette does not validate the `Host` header before constructing `request.url.path`, allowing an attacker to inject a path segment via the header that then breaks path-based routing or middleware guards. The impact depends on how the application uses `request.url.path` for authorization or routing decisions. Update Starlette and audit any middleware that matches on `request.url.path` rather than the raw path.

Medium · GHSA-h97m-27fx-42rx / GHSA-wfq4-36m3-9g42 · 2026-06-04 ·added 12:00 ET

Matrix SDK pair: incomplete edit validation in matrix-sdk-ui, sender-binding gaps in Rust SDK room-key attribution

Two Matrix SDK advisories today: matrix-sdk-ui fails to fully validate edited messages, potentially allowing a malicious room member to replace displayed message content (GHSA-h97m-27fx-42rx); the Rust SDK has sender-binding gaps in to-device message and room-key attribution that could let a network attacker confuse key-forwarding logic (GHSA-wfq4-36m3-9g42). Neither is critical in isolation, but together they indicate ongoing hardening work on the Matrix E2EE stack. Update matrix-sdk-ui and matrix-sdk-crypto if you embed them.

Medium · GHSA-fr49-mhgj-crfc / GHSA-qfwv-87qj-98xq · 2026-06-04 ·added 12:00 ET

Strawberry GraphQL: two DoS paths — MaxAliasesLimiter bypass via fragment spreads, circular fragment reference CPU exhaustion

Strawberry GraphQL's `MaxAliasesLimiter` validation can be bypassed by nesting aliases inside fragment spreads rather than inline fields, re-enabling alias-based query amplification attacks (GHSA-fr49-mhgj-crfc). Separately, circular fragment references cause unbounded recursion and CPU exhaustion (GHSA-qfwv-87qj-98xq). If you expose a Strawberry GraphQL endpoint publicly without a WAF-level query depth or complexity limit, both are exploitable by anonymous users with a crafted query.

Medium · GHSA-m6vc-f87m-cc2h · 2026-06-04 ·added 12:00 ET

Doorkeeper OpenID Connect: Dynamic Client Registration creates public clients without requiring secret, weakening token security

Doorkeeper's Dynamic Client Registration endpoint creates clients as public (no client secret required) when no secret is provided, contrary to OIDC spec behaviour that should reject or generate one. This lowers the security bar for dynamically registered clients in applications that assumed confidential-client semantics. If you use Doorkeeper's DCR feature, audit registered clients for unexpected public status and require explicit `token_endpoint_auth_method` validation.

Medium · GHSA-fh3h-vg37-cc95 · 2026-06-04 ·added 12:00 ET

WebOb: Location header normalization during redirect leads to open redirect — again

WebOb's handling of the `Location` header during redirects normalizes paths in a way that re-enables an open redirect — the advisory title notes "again", suggesting this is a recurrence of a previously-patched class of bug. If your WSGI application uses WebOb's `Response.location` setter for redirect construction, update the package and test that redirect targets are constrained to expected domains.

Context · The Hacker News · 2026-06-04 ·added 12:00 ET

THN ThreatsDay Bulletin: AI agents misbehaving, ClickFix tricks, JS backdoors, 20+ stories

THN's daily bulletin covers AI agent abuse scenarios, ClickFix social-engineering variants, JavaScript-based backdoor delivery, and 20+ additional stories. Worth a scan for anything that didn't surface in the primary feeds — the ClickFix thread in particular has been accelerating as a delivery mechanism for the fake-OSS-site campaign flagged separately today.