{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/software-supply-chain/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["jupyterlab-git (pip \u003e= 0.30.0b3, \u003c 0.54.0a1)","jupyterlab-git-core (pip \u003e= 0.30.0b3, \u003c 0.54.0a1)","@jupyterlab/git (npm \u003e= 0.30.0b3, \u003c 0.54.0-a1)"],"_cs_severities":["high"],"_cs_tags":["xss","rce","jupyterlab","git","web-vulnerability","software-supply-chain","ghsa"],"_cs_type":"advisory","_cs_vendors":["Jupyter Project"],"content_html":"\u003cp\u003eAmazon Web Services (AWS) Security discovered CVE-2026-54527, a high-severity stored cross-site scripting (XSS) vulnerability within the \u003ccode\u003ejupyterlab-git\u003c/code\u003e JupyterLab extension (versions \u0026gt;= 0.30.0b3, \u0026lt; 0.54.0a1). This flaw specifically resides in the \u003ccode\u003ecreateHeader()\u003c/code\u003e method of the \u003ccode\u003ePlainTextDiff.ts\u003c/code\u003e component, which insecurely renders Git filenames directly to \u003ccode\u003einnerHTML\u003c/code\u003e without sanitization when displaying diffs for renamed files in commit history. Exploitation requires an adversary to have commit access to a shared Git repository; they craft a malicious filename (e.g., \u003ccode\u003e\u0026lt;img src=x onerror=eval(atob(\u0026quot;base64_payload\u0026quot;))\u0026gt;.py\u003c/code\u003e), rename it in a subsequent commit, and push it. When a victim views the rename diff of this file in the Git History tab, the injected JavaScript executes in their browser, reading the \u003ccode\u003e_xsrf\u003c/code\u003e cookie, opening a JupyterLab terminal via \u003ccode\u003ePOST /api/terminals\u003c/code\u003e, and subsequently executing arbitrary shell commands to achieve full Remote Code Execution (RCE). This allows attackers to exfiltrate secrets, credentials, and sensitive data from the victim's JupyterLab environment. The vulnerability impacts organizations utilizing JupyterLab with the vulnerable \u003ccode\u003ejupyterlab-git\u003c/code\u003e extension installed, potentially leading to widespread compromise of development and data science environments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn adversary with commit access to a shared Git repository crafts a file with a malicious filename containing a JavaScript payload (e.g., \u003ccode\u003e\u0026lt;img src=x onerror=eval(atob(\u0026quot;base64_payload\u0026quot;))\u0026gt;.py\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe adversary performs a Git commit, renaming the crafted file, and pushes both the file creation and rename commits to the shared Git repository.\u003c/li\u003e\n\u003cli\u003eA victim user clones or pulls the repository into their JupyterLab environment.\u003c/li\u003e\n\u003cli\u003eThe victim navigates to the Git History tab within JupyterLab, clicks the commit containing the rename, and then clicks the renamed malicious file to view its diff.\u003c/li\u003e\n\u003cli\u003eJupyterLab's \u003ccode\u003ePlainTextDiff.ts\u003c/code\u003e component, specifically the \u003ccode\u003ecreateHeader()\u003c/code\u003e method, renders the unsanitized malicious filename directly into the Document Object Model (DOM) via \u003ccode\u003einnerHTML\u003c/code\u003e, executing the embedded JavaScript payload in the victim's browser session.\u003c/li\u003e\n\u003cli\u003eThe executed JavaScript reads the victim's \u003ccode\u003e_xsrf\u003c/code\u003e cookie, constructs and sends a \u003ccode\u003ePOST\u003c/code\u003e request to the JupyterLab server's \u003ccode\u003e/api/terminals\u003c/code\u003e endpoint to open a new terminal session.\u003c/li\u003e\n\u003cli\u003eThe JavaScript establishes a WebSocket connection to the newly created terminal and sends arbitrary shell commands for execution on the underlying JupyterLab server.\u003c/li\u003e\n\u003cli\u003eThe shell commands execute with the privileges of the JupyterLab server process, leading to Remote Code Execution (RCE) and potential exfiltration of credentials or sensitive data from the victim's environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-54527 leads to full Remote Code Execution (RCE) on the JupyterLab server where the victim's session is running. This grants an attacker unauthorized access to the victim's code, data, environment variables, and any credentials accessible from that environment. Attackers can leverage this RCE to exfiltrate sensitive information, install backdoors, move laterally within the network, or disrupt development and data science workflows. The attack vectors are widespread across any organization using JupyterLab with the vulnerable \u003ccode\u003ejupyterlab-git\u003c/code\u003e extension in a collaborative Git environment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eImmediately patch the \u003ccode\u003ejupyterlab-git\u003c/code\u003e extension to a version equal to or greater than 0.54.0a1 to remediate CVE-2026-54527.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules \u0026quot;Detects CVE-2026-54527 Exploitation — JupyterLab Terminal Creation\u0026quot; and \u0026quot;Detects CVE-2026-54527 Exploitation — Suspicious JupyterLab Child Process\u0026quot; to your SIEM and tune them for your environment's baseline JupyterLab activity.\u003c/li\u003e\n\u003cli\u003eEnable comprehensive \u003ccode\u003ewebserver\u003c/code\u003e logging for all JupyterLab instances to capture \u003ccode\u003ePOST\u003c/code\u003e requests to \u003ccode\u003e/api/terminals\u003c/code\u003e and other suspicious API endpoints, enabling the \u0026quot;Detects CVE-2026-54527 Exploitation — JupyterLab Terminal Creation\u0026quot; rule.\u003c/li\u003e\n\u003cli\u003eEnable \u003ccode\u003eprocess_creation\u003c/code\u003e logging on all servers hosting JupyterLab instances to monitor for unusual child processes spawned by JupyterLab or Python processes, enabling the \u0026quot;Detects CVE-2026-54527 Exploitation — Suspicious JupyterLab Child Process\u0026quot; rule.\u003c/li\u003e\n\u003c/ol\u003e\n","date_modified":"2026-06-19T20:01:30Z","date_published":"2026-06-19T20:01:30Z","id":"https://feed.craftedsignal.io/briefs/2026-06-jupyterlab-git-xss-rce/","summary":"A stored cross-site scripting (XSS) vulnerability, identified as CVE-2026-54527, in the `jupyterlab-git` JupyterLab extension (versions \u003e= 0.30.0b3, \u003c 0.54.0a1), specifically in `PlainTextDiff.ts`, allows an adversary with Git commit access to execute arbitrary JavaScript in a victim's browser and achieve Remote Code Execution (RCE) on the JupyterLab server by crafting a malicious filename in a Git commit that, when viewed as a rename diff, triggers the XSS payload to steal `_xsrf` cookies, open a terminal, and execute arbitrary shell commands to exfiltrate data.","title":"JupyterLab Git Extension Stored XSS to RCE (CVE-2026-54527)","url":"https://feed.craftedsignal.io/briefs/2026-06-jupyterlab-git-xss-rce/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["network-ai (\u003c 5.9.1)"],"_cs_severities":["critical"],"_cs_tags":["command-injection","rce","node.js","linux","macos","software-supply-chain"],"_cs_type":"advisory","_cs_vendors":["Jovancoding"],"content_html":"\u003cp\u003eA critical command injection vulnerability, tracked as CVE-2026-54051, exists in the \u003ccode\u003enetwork-ai\u003c/code\u003e npm package, specifically affecting versions prior to 5.9.1. The flaw stems from a mismatch between the \u003ccode\u003eSandboxPolicy.isCommandAllowed\u003c/code\u003e function, which performs allowlist glob-matching on the entire command string, and the \u003ccode\u003eShellExecutor\u003c/code\u003e which then executes this string directly via \u003ccode\u003e/bin/sh -c\u003c/code\u003e. This discrepancy allows an attacker to inject shell metacharacters (e.g., \u003ccode\u003e;\u003c/code\u003e, \u003ccode\u003e|\u003c/code\u003e, \u003ccode\u003e$(...)\u003c/code\u003e) into a command that would otherwise be approved by a broad wildcard allowlist entry (e.g., \u003ccode\u003egit *\u003c/code\u003e, \u003ccode\u003enpm *\u003c/code\u003e). This bypasses the intended security control meant to contain a compromised agent, enabling arbitrary command execution with the privileges of the orchestrator process on Linux and macOS systems. The vulnerability was publicly disclosed on June 19, 2026, via a GitHub Security Advisory (GHSA-qw6v-5fcf-5666).\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker compromises or controls a \u003ccode\u003enetwork-ai\u003c/code\u003e agent process.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003enetwork-ai\u003c/code\u003e orchestrator's \u003ccode\u003eSandboxPolicy\u003c/code\u003e includes a broad wildcard allowlist entry for commands (e.g., \u003ccode\u003egit *\u003c/code\u003e, \u003ccode\u003enpm *\u003c/code\u003e, \u003ccode\u003enode *\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious command string containing shell metacharacters, such as \u003ccode\u003egit status; id \u0026gt; /tmp/pwned.txt\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eSandboxPolicy.isCommandAllowed\u003c/code\u003e function evaluates the full malicious string, and due to the glob-matching logic, it incorrectly determines the command is allowed.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eShellExecutor.execute\u003c/code\u003e method proceeds to execute the approved string by invoking \u003ccode\u003e/bin/sh -c \u0026quot;git status; id \u0026gt; /tmp/pwned.txt\u0026quot;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003e/bin/sh\u003c/code\u003e interpreter processes the shell metacharacters (specifically the semicolon), executing both \u003ccode\u003egit status\u003c/code\u003e and the injected \u003ccode\u003eid \u0026gt; /tmp/pwned.txt\u003c/code\u003e command.\u003c/li\u003e\n\u003cli\u003eArbitrary command execution is achieved, typically as the orchestrator process, allowing the attacker to bypass the intended sandbox controls and potentially escalate privileges or exfiltrate data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-54051 leads to arbitrary command execution on the system running the \u003ccode\u003enetwork-ai\u003c/code\u003e orchestrator process. This vulnerability completely undermines the primary security mechanism designed to prevent a compromised agent from executing unauthorized commands. Attackers can leverage this to gain full control over the orchestrator, leading to data exfiltration, further lateral movement, or deployment of additional malicious payloads. While specific victim numbers are not provided, any organization utilizing \u003ccode\u003enetwork-ai\u003c/code\u003e with broad wildcard allowlist entries in its \u003ccode\u003eSandboxPolicy\u003c/code\u003e on Linux or macOS systems is susceptible to this critical flaw.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eUpgrade immediately:\u003c/strong\u003e Update \u003ccode\u003enetwork-ai\u003c/code\u003e package to version 5.9.1 or later to apply the patch for CVE-2026-54051.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRefine allowlists:\u003c/strong\u003e Review and harden \u003ccode\u003eSandboxPolicy\u003c/code\u003e allowlist configurations, avoiding overly broad wildcard entries like \u003ccode\u003enode *\u003c/code\u003e or \u003ccode\u003enpm *\u003c/code\u003e even after patching.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEnable logging:\u003c/strong\u003e Ensure \u003ccode\u003eprocess_creation\u003c/code\u003e logging (e.g., via Sysmon for Linux/macOS) is enabled to capture execution of shell interpreters and their command-line arguments.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDeploy Sigma rules:\u003c/strong\u003e Deploy the provided Sigma rules to detect suspicious \u003ccode\u003esh -c\u003c/code\u003e invocations and anomalous command executions.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-06-19T13:43:05Z","date_published":"2026-06-19T13:43:05Z","id":"https://feed.craftedsignal.io/briefs/2026-06-network-ai-cmd-injection/","summary":"The `network-ai` package, versions prior to 5.9.1, is vulnerable to a critical command injection flaw (CVE-2026-54051) where the `ShellExecutor` component fails to properly neutralize shell metacharacters when processing commands, allowing an attacker to achieve arbitrary command execution as the orchestrator process by bypassing allowlist controls.","title":"Network-AI: Improper Neutralization of Special Elements used in an OS Command (CVE-2026-54051)","url":"https://feed.craftedsignal.io/briefs/2026-06-network-ai-cmd-injection/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Axios npm package","GitHub repositories"],"_cs_severities":["high"],"_cs_tags":["intelligence-collection","espionage","supply-chain-compromise","software-supply-chain","extortion","state-sponsored","ecrime","macos","github"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe CrowdStrike 2026 Technology Threat Landscape Report reveals the technology sector as the primary target for both state-sponsored and eCrime adversaries during the period of April 1, 2025, to March 31, 2026. China-nexus groups, including MURKY PANDA, MUSTANG PANDA, OVERCAST PANDA, SUNRISE PANDA, and WARP PANDA, accounted for over 58% of state-sponsored intrusions, driven by goals of intelligence collection, intellectual property theft, and supply chain compromise. These actors utilized methods such as password spraying and exploiting vulnerabilities. DPRK-nexus groups like FAMOUS CHOLLIMA and STARDUST CHOLLIMA targeted the sector for financial gain through fraudulent employment schemes and supply chain compromises, notably the Axios npm package. eCrime adversaries conducted 65% of hands-on-keyboard operations, focusing on extortion, leveraging initial access brokers, distributing malware via lures (e.g., fake OpenClaw skills for macOS info stealers), and injecting malicious code into platforms like GitHub repositories.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access\u003c/strong\u003e: Adversaries gain initial entry through various means, including password spraying attacks (observed with MURKY PANDA), exploitation of public-facing vulnerabilities in applications or infrastructure (WARP PANDA), or by luring victims with social engineering tactics (e.g., fake OpenClaw skills distributing macOS info stealers).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExecution \u0026amp; Persistence\u003c/strong\u003e: Upon successful compromise or user interaction, malware (such as the macOS information stealer) is executed. Attackers then establish and maintain persistent access within the targeted environment, often through methods not explicitly detailed in the report.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement \u0026amp; Credential Access\u003c/strong\u003e: Threat actors move deeper into the network, frequently leveraging stolen credentials or exploiting internal weaknesses, to reach critical systems and high-value data.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Collection\u003c/strong\u003e: Adversaries identify and gather sensitive information, including intellectual property, source code from private repositories (as seen with Crimson Collective's activities), and other data aligned with intelligence collection objectives.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSupply Chain Compromise\u003c/strong\u003e: In some instances, attackers inject malicious code into widely used software components (e.g., STARDUST CHOLLIMA compromising the Axios npm package) or directly into public code repositories (e.g., the Glassworm actor compromising GitHub repositories).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration\u003c/strong\u003e: The collected intellectual property, sensitive data, or compromised code is then transferred out of the victim's network to adversary-controlled infrastructure.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact \u0026amp; Extortion\u003c/strong\u003e: The ultimate objectives include intelligence collection, intellectual property theft, and financial gain. eCrime adversaries frequently resort to extortion, often by listing organizations on dedicated leak sites (572 tech organizations observed).\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe technology sector faces severe consequences from these attacks, encompassing significant intelligence collection losses, intellectual property theft, and financial damage. State-sponsored actors, particularly China-nexus groups, aim to steal cutting-edge innovations and AI capabilities, hindering competitive advantage. eCrime groups extensively use extortion, naming 572 technology organizations on leak sites, vastly exceeding other sectors. Supply chain compromises, such as the STARDUST CHOLLIMA compromise of the Axios npm package, can expose millions of downstream users and poison open-source ecosystems, leading to widespread collateral damage and erosion of trust in software components. DPRK-nexus activities also contribute to financial losses through fraudulent employment schemes.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM and tune for your environment to detect macOS information stealers and suspicious application activity.\u003c/li\u003e\n\u003cli\u003eImplement strong multi-factor authentication (MFA) and monitor authentication logs for password spraying attempts, referencing the threat from MURKY PANDA.\u003c/li\u003e\n\u003cli\u003eMonitor process creation and network connections on macOS endpoints to detect suspicious activity indicative of the macOS information stealer distributed via \u0026quot;OpenClaw-related lures\u0026quot;.\u003c/li\u003e\n\u003cli\u003eScrutinize software supply chain integrity, including regular audits of \u003ccode\u003enpm\u003c/code\u003e package dependencies and GitHub repository activity, to mitigate risks highlighted by the STARDUST CHOLLIMA and Glassworm compromises.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-06-19T05:22:20Z","date_published":"2026-06-19T05:22:20Z","id":"https://feed.craftedsignal.io/briefs/2026-06-china-tech-threats/","summary":"The CrowdStrike 2026 Technology Threat Landscape Report highlights the pervasive targeting of the technology sector by China-nexus and eCrime adversaries, employing tactics like password spraying, vulnerability exploitation, supply chain compromises (e.g., Axios npm package, GitHub repositories), and malware distribution (macOS info stealers via OpenClaw lures) to achieve intelligence collection, intellectual property theft, and financial extortion.","title":"CrowdStrike 2026 Technology Threat Landscape Report: China's Ambitions Fuel Attacks","url":"https://feed.craftedsignal.io/briefs/2026-06-china-tech-threats/"}],"language":"en","title":"CraftedSignal Threat Feed - Software-Supply-Chain","version":"https://jsonfeed.org/version/1.1"}