Supply Chain · Watch Monday · 08 June 2026 End-of-day synthesis 4 watches · 12 items

From the watchtower — what crossed the wire today.

A four-times-a-day standing watch on the open-source supply chain. Each pass pulls newly disclosed CVEs, freshly catalogued KEV adds, and active attacks reported in the wild — then ranks them by severity for the day.

The story of the day — A 21:00 ET KEV addition dropped a command-injection RCE in the open-source LiteLLM gateway onto the actively-exploited list — capping a day already shaped by two ransomware-linked developer-toolchain compromises, Nx Console and TanStack.

Today's CISA KEV additions converged on a single surface: the software developer's own toolchain. Two of the day's critical items — the Nx Console VS Code extension and the TanStack npm libraries — were catalogued with ransomware_use=Known, meaning the credential-theft-to-ransomware chain is already running, not theoretical. Both follow the trusted-identity pattern: malicious versions shipped under the legitimate publisher's account, where package-name allowlists and reputation offer no protection and auto-updating CI runners sit at the top of the blast radius.

Late escalation at 21:00 ET: CISA added a third critical, CVE-2026-42271, a command-injection flaw in the open-source LiteLLM gateway that lets any authenticated caller — including low-privilege virtual keys — run arbitrary commands on the host. Because LiteLLM is usually deployed as a shared, multi-tenant proxy holding every upstream provider's credentials, one over-issued key becomes RCE on the box that holds the keys to everything behind it. Alongside it landed a Check Point Security Gateway IKEv1 auth bypass (CVE-2026-50751) carrying a three-day remediation deadline — CISA's shortest clock of the day. The bright spot still stands from the 18:00 synthesis: Microsoft is adding a two-hour delay to VS Code extension auto-updates, shrinking the window from instant fleet-wide compromise to a two-hour catch window — exactly the margin the Nx Console attack would have run inside.

→ Operational priority for the night upgrade LiteLLM to v1.83.7-stable and rotate every provider key reachable from an exposed instance; apply the Check Point sk185033 hotfix or disable IKEv1 where it isn't required; and finish the toolchain audit — Nx Console and TanStack versions against GHSA-c9j4-9m59-847w and GHSA-g7cv-rxg3-hmpx, treating any CI machine that consumed a bad build as credential-compromised.

21:00 ET · Last Watch

Critical · CISA KEV · 2026-06-08 ·added 21:00 ET

LiteLLM command injection — any authenticated caller, including low-privilege keys, can run host commands

BerriAI LiteLLM — the open-source proxy that fronts dozens of LLM providers behind one OpenAI-compatible API — contains a command-injection flaw (CVE-2026-42271) that lets any authenticated caller, including holders of low-privilege internal-user keys, execute arbitrary commands on the host. CISA added it to KEV on 2026-06-08 with a 2026-06-22 deadline; because LiteLLM is usually run as a shared multi-tenant gateway holding every upstream provider's credentials, a single over-issued or leaked virtual key becomes RCE on the box that holds the keys to everything behind it. Upgrade to v1.83.7-stable, then treat any provider key reachable from an exposed LiteLLM instance as compromised and rotate.

High · CISA KEV · 2026-06-08 ·added 21:00 ET

Check Point Security Gateway IKEv1 auth bypass — unauthenticated remote-access VPN without a valid password

Check Point Security Gateway contains an improper-authentication flaw in its deprecated IKEv1 key exchange (CVE-2026-50751) that lets an unauthenticated remote attacker establish a remote-access VPN session without a valid user password. CISA catalogued it on 2026-06-08 with an unusually tight three-day remediation deadline of 2026-06-11 — its shortest clock of the day, signalling actively-exploited edge access rather than a theoretical bypass. Apply the hotfix in sk185033, and where IKEv1 isn't required, disable it outright; audit VPN logs for sessions that authenticated without a matching credential event.

12:00 ET · Forenoon Watch

Critical · CISA KEV · 2026-05-27 ·added 12:00 ET

Nx Console VS Code extension compromised — malicious version harvested credentials from disk and memory

A malicious version of Nx Console — the VS Code extension used by engineers working on Nx-managed JavaScript/TypeScript monorepos — was published with embedded code that fetched an obfuscated payload to harvest credentials from disk and in-memory sources. CISA added it to KEV on 2026-05-27 with ransomware_use=Known, meaning the credential-theft chain has already been linked to downstream ransomware deployment. This lands directly in developer-toolchain compromise territory: CI runners that auto-update extensions are the highest-risk surface. Audit installed Nx Console versions across your fleet against GHSA-c9j4-9m59-847w, rotate any secrets that were on machines running the affected version, and pin extensions by content hash or disable auto-update until a verification gate is in place.

Critical · CISA KEV · 2026-05-27 ·added 12:00 ET

Malicious TanStack versions published to npm under trusted identity — credential-stealing malware, ransomware follow-on confirmed

Malicious versions of TanStack (the React Query/Router library family with hundreds of millions of weekly downloads) were published to npm under the compromised TanStack organisation identity, delivering credential-stealing malware. CISA KEV as of 2026-05-27 with ransomware_use=Known. The 'trusted identity' vector is the most dangerous shape in the npm ecosystem: package name allowlists offer zero protection when the compromise originates from the legitimate publisher account. This is in the same cohort as the Nx Console compromise — both landed on KEV the same day, both involve developer-toolchain credential theft, both have ransomware follow-on. Pin TanStack dependencies to known-good content hashes, audit your lockfiles for the affected version ranges in GHSA-g7cv-rxg3-hmpx, and treat any CI machine that consumed a bad version as credential-compromised until rotated.

Critical · CISA KEV · 2026-06-03 ·added 12:00 ET

Mirasvit Full Page Cache Warmer (Magento/Adobe Commerce) — unauthenticated RCE via PHP deserialization in cookie

The Mirasvit Full Page Cache Warmer extension for Magento/Adobe Commerce deserializes a PHP object supplied in the CacheWarmer cookie without authentication, giving any remote attacker a direct code-execution path. CISA KEV since 2026-06-03, due date 2026-06-06 — that window has already passed. PHP object injection via cookie is trivially weaponizable; there is no meaningful barrier between this and full store compromise including payment credential access. If you run Magento with this extension, patch now; the CISA due date being in the rearview mirror means active exploitation is confirmed and remediation is already overdue.

High · CISA KEV · 2026-06-05 ·added 12:00 ET

SolarWinds Serv-U — unauthenticated DoS via crafted Content-Encoding: deflate POST

A specially crafted POST request with Content-Encoding: deflate crashes the SolarWinds Serv-U service without authentication. CISA KEV as of 2026-06-05, due 2026-06-19. This is a DoS path, not RCE, but SolarWinds file-transfer infrastructure sitting at the centre of data flows in federal and enterprise environments has an elevated threat profile, and an attacker who can drop Serv-U on demand controls a meaningful disruption lever. Patch to Serv-U 15.5.4 Hotfix 1.

High · CISA KEV · 2026-06-01 ·added 12:00 ET

Oracle WebLogic Server — unauthenticated T3/IIOP network access, full data exposure

A two-year-old Oracle WebLogic vulnerability (October 2024 CPU) has been newly added to CISA KEV, confirming active exploitation in the wild as of 2026-06-01. Unauthenticated access via T3 or IIOP can expose all data accessible to the WebLogic instance. The KEV re-elevation of an older CVE means defenders who deferred patching after the original advisory are now on the active-exploitation clock. Apply the October 2024 CPU or later and block T3/IIOP at the network perimeter if patching is not immediately possible.

High · CISA KEV · 2026-06-02 ·added 12:00 ET

Linux Kernel cgroups v1 container escape — 4-year-old CVE newly confirmed as actively exploited

CISA added a 2022 Linux kernel privilege escalation to KEV on 2026-06-02, confirming it is being actively exploited today. The cgroups v1 release_agent path allows a container with sufficient permissions to escape to the host — the classic container-breakout shape. Any containerised workload still on cgroups v1 (check: 'stat /sys/fs/cgroup/cgroup.controllers' — if the file doesn't exist, you're on v1) is exposed. Modern distros default to cgroups v2 where this path is unavailable, but pinned kernel versions in older container base images may not. Audit your base images and kernel versions; prefer cgroups v2 or restrict unprivileged user namespace access as a compensating control.

Medium · GHSA · 2026-06-08 ·added 12:00 ET

GeoNode SSRF — authenticated attackers can probe internal network and cloud metadata endpoints via WMS service handler

GeoNode's WMS service registration endpoint passes user-supplied URLs directly to an outbound request without private IP filtering or allowlist enforcement, letting any authenticated user probe loopback, RFC1918, and link-local addresses including cloud metadata services (169.254.169.254). CVSS 6.3, requires authentication, so blast radius is limited to compromised or insider accounts — but SSRF to metadata endpoints is a reliable lateral movement path to IAM credentials in cloud-hosted GeoNode deployments. Patch to 4.4.5 or 5.0.2.

Context · The Hacker News · 2026-06-08 ·added 12:00 ET

VerdantBamboo (China-nexus) deploys BSD BRICKSTORM variant plus two new malware families on Linux appliances

Volexity reports VerdantBamboo — which overlaps with Clay Typhoon / UNC4034 — deploying a BSD variant of the BRICKSTORM backdoor alongside PLENET (aka GRIMBOLT) and AGENTPSD against Linux network appliances. Not a direct supply-chain compromise, but the targeting pattern rhymes: compromise the network appliance that proxies everything, and you get persistent access without touching the application layer. Defenders with exposed VPN concentrators, load balancers, or edge appliances should treat Volexity's IOCs as a hunting baseline.

Context · The Hacker News · 2026-06-08 ·added 12:00 ET

THN Weekly Recap — GitHub worm, poisoned packages, bot token in malware

THN's weekly retrospective covers a GitHub repository worm, poisoned packages (covered in this watch across the week), and malware that embedded a live bot token — enabling command-and-control through the bot API rather than a traditional C2 beacon. The bot-token-as-C2 pattern is worth flagging: it abuses a trusted platform and makes traffic indistinguishable from legitimate API calls. Useful as a week-in-review link for stakeholder briefings.

06:00 ET · Morning Watch

Medium · The Hacker News · 2026-06-08 ·added 06:00 ET

VS Code adds a two-hour delay to extension auto-updates to blunt marketplace supply-chain attacks

Microsoft is adding a two-hour delay before VS Code auto-updates extensions to a newly published version, giving the marketplace and detection vendors a window to pull a malicious release before it auto-lands on developer machines. It's the same defense-in-depth logic as npm's publish-cooldown debate and VS Code's earlier extension-signing push — none of it stops a poisoned update outright, but it shrinks the blast radius from 'instant, fleet-wide' to a two-hour catch window, which is exactly the kind of margin that would have helped against the marketplace extension compromises of the past year. If you run VS Code across an engineering org, confirm auto-update is enabled (the delay only protects machines on the delayed path) and back it with extension allowlisting so the two-hour window sits behind a real review gate.