Software-Supply-Chain - CraftedSignal Threat Feed

JupyterLab Git Extension Stored XSS to RCE (CVE-2026-54527)

hello@craftedsignal.io — Fri, 19 Jun 2026 20:01:30 +0000

Amazon Web Services (AWS) Security discovered CVE-2026-54527, a high-severity stored cross-site scripting (XSS) vulnerability within the jupyterlab-git JupyterLab extension (versions >= 0.30.0b3, < 0.54.0a1). This flaw specifically resides in the createHeader() method of the PlainTextDiff.ts component, which insecurely renders Git filenames directly to innerHTML without sanitization when displaying diffs for renamed files in commit history. Exploitation requires an adversary to have commit access to a shared Git repository; they craft a malicious filename (e.g., .py), rename it in a subsequent commit, and push it. When a victim views the rename diff of this file in the Git History tab, the injected JavaScript executes in their browser, reading the _xsrf cookie, opening a JupyterLab terminal via POST /api/terminals, and subsequently executing arbitrary shell commands to achieve full Remote Code Execution (RCE). This allows attackers to exfiltrate secrets, credentials, and sensitive data from the victim's JupyterLab environment. The vulnerability impacts organizations utilizing JupyterLab with the vulnerable jupyterlab-git extension installed, potentially leading to widespread compromise of development and data science environments.

Attack Chain

An adversary with commit access to a shared Git repository crafts a file with a malicious filename containing a JavaScript payload (e.g., .py).
The adversary performs a Git commit, renaming the crafted file, and pushes both the file creation and rename commits to the shared Git repository.
A victim user clones or pulls the repository into their JupyterLab environment.
The victim navigates to the Git History tab within JupyterLab, clicks the commit containing the rename, and then clicks the renamed malicious file to view its diff.
JupyterLab's PlainTextDiff.ts component, specifically the createHeader() method, renders the unsanitized malicious filename directly into the Document Object Model (DOM) via innerHTML, executing the embedded JavaScript payload in the victim's browser session.
The executed JavaScript reads the victim's _xsrf cookie, constructs and sends a POST request to the JupyterLab server's /api/terminals endpoint to open a new terminal session.
The JavaScript establishes a WebSocket connection to the newly created terminal and sends arbitrary shell commands for execution on the underlying JupyterLab server.
The shell commands execute with the privileges of the JupyterLab server process, leading to Remote Code Execution (RCE) and potential exfiltration of credentials or sensitive data from the victim's environment.

Impact

Successful exploitation of CVE-2026-54527 leads to full Remote Code Execution (RCE) on the JupyterLab server where the victim's session is running. This grants an attacker unauthorized access to the victim's code, data, environment variables, and any credentials accessible from that environment. Attackers can leverage this RCE to exfiltrate sensitive information, install backdoors, move laterally within the network, or disrupt development and data science workflows. The attack vectors are widespread across any organization using JupyterLab with the vulnerable jupyterlab-git extension in a collaborative Git environment.

Recommendation

Immediately patch the jupyterlab-git extension to a version equal to or greater than 0.54.0a1 to remediate CVE-2026-54527.
Deploy the Sigma rules "Detects CVE-2026-54527 Exploitation — JupyterLab Terminal Creation" and "Detects CVE-2026-54527 Exploitation — Suspicious JupyterLab Child Process" to your SIEM and tune them for your environment's baseline JupyterLab activity.
Enable comprehensive webserver logging for all JupyterLab instances to capture POST requests to /api/terminals and other suspicious API endpoints, enabling the "Detects CVE-2026-54527 Exploitation — JupyterLab Terminal Creation" rule.
Enable process_creation logging on all servers hosting JupyterLab instances to monitor for unusual child processes spawned by JupyterLab or Python processes, enabling the "Detects CVE-2026-54527 Exploitation — Suspicious JupyterLab Child Process" rule.

Network-AI: Improper Neutralization of Special Elements used in an OS Command (CVE-2026-54051)

hello@craftedsignal.io — Fri, 19 Jun 2026 13:43:05 +0000

A critical command injection vulnerability, tracked as CVE-2026-54051, exists in the network-ai npm package, specifically affecting versions prior to 5.9.1. The flaw stems from a mismatch between the SandboxPolicy.isCommandAllowed function, which performs allowlist glob-matching on the entire command string, and the ShellExecutor which then executes this string directly via /bin/sh -c. This discrepancy allows an attacker to inject shell metacharacters (e.g., ;, |, $(...)) into a command that would otherwise be approved by a broad wildcard allowlist entry (e.g., git *, npm *). This bypasses the intended security control meant to contain a compromised agent, enabling arbitrary command execution with the privileges of the orchestrator process on Linux and macOS systems. The vulnerability was publicly disclosed on June 19, 2026, via a GitHub Security Advisory (GHSA-qw6v-5fcf-5666).

Attack Chain

An attacker compromises or controls a network-ai agent process.
The network-ai orchestrator's SandboxPolicy includes a broad wildcard allowlist entry for commands (e.g., git *, npm *, node *).
The attacker crafts a malicious command string containing shell metacharacters, such as git status; id > /tmp/pwned.txt.
The SandboxPolicy.isCommandAllowed function evaluates the full malicious string, and due to the glob-matching logic, it incorrectly determines the command is allowed.
The ShellExecutor.execute method proceeds to execute the approved string by invoking /bin/sh -c "git status; id > /tmp/pwned.txt".
The /bin/sh interpreter processes the shell metacharacters (specifically the semicolon), executing both git status and the injected id > /tmp/pwned.txt command.
Arbitrary command execution is achieved, typically as the orchestrator process, allowing the attacker to bypass the intended sandbox controls and potentially escalate privileges or exfiltrate data.

Impact

Successful exploitation of CVE-2026-54051 leads to arbitrary command execution on the system running the network-ai orchestrator process. This vulnerability completely undermines the primary security mechanism designed to prevent a compromised agent from executing unauthorized commands. Attackers can leverage this to gain full control over the orchestrator, leading to data exfiltration, further lateral movement, or deployment of additional malicious payloads. While specific victim numbers are not provided, any organization utilizing network-ai with broad wildcard allowlist entries in its SandboxPolicy on Linux or macOS systems is susceptible to this critical flaw.

Recommendation

Upgrade immediately: Update network-ai package to version 5.9.1 or later to apply the patch for CVE-2026-54051.
Refine allowlists: Review and harden SandboxPolicy allowlist configurations, avoiding overly broad wildcard entries like node * or npm * even after patching.
Enable logging: Ensure process_creation logging (e.g., via Sysmon for Linux/macOS) is enabled to capture execution of shell interpreters and their command-line arguments.
Deploy Sigma rules: Deploy the provided Sigma rules to detect suspicious sh -c invocations and anomalous command executions.

CrowdStrike 2026 Technology Threat Landscape Report: China's Ambitions Fuel Attacks

hello@craftedsignal.io — Fri, 19 Jun 2026 05:22:20 +0000

The CrowdStrike 2026 Technology Threat Landscape Report reveals the technology sector as the primary target for both state-sponsored and eCrime adversaries during the period of April 1, 2025, to March 31, 2026. China-nexus groups, including MURKY PANDA, MUSTANG PANDA, OVERCAST PANDA, SUNRISE PANDA, and WARP PANDA, accounted for over 58% of state-sponsored intrusions, driven by goals of intelligence collection, intellectual property theft, and supply chain compromise. These actors utilized methods such as password spraying and exploiting vulnerabilities. DPRK-nexus groups like FAMOUS CHOLLIMA and STARDUST CHOLLIMA targeted the sector for financial gain through fraudulent employment schemes and supply chain compromises, notably the Axios npm package. eCrime adversaries conducted 65% of hands-on-keyboard operations, focusing on extortion, leveraging initial access brokers, distributing malware via lures (e.g., fake OpenClaw skills for macOS info stealers), and injecting malicious code into platforms like GitHub repositories.

Attack Chain

Initial Access: Adversaries gain initial entry through various means, including password spraying attacks (observed with MURKY PANDA), exploitation of public-facing vulnerabilities in applications or infrastructure (WARP PANDA), or by luring victims with social engineering tactics (e.g., fake OpenClaw skills distributing macOS info stealers).
Execution & Persistence: Upon successful compromise or user interaction, malware (such as the macOS information stealer) is executed. Attackers then establish and maintain persistent access within the targeted environment, often through methods not explicitly detailed in the report.
Lateral Movement & Credential Access: Threat actors move deeper into the network, frequently leveraging stolen credentials or exploiting internal weaknesses, to reach critical systems and high-value data.
Data Collection: Adversaries identify and gather sensitive information, including intellectual property, source code from private repositories (as seen with Crimson Collective's activities), and other data aligned with intelligence collection objectives.
Supply Chain Compromise: In some instances, attackers inject malicious code into widely used software components (e.g., STARDUST CHOLLIMA compromising the Axios npm package) or directly into public code repositories (e.g., the Glassworm actor compromising GitHub repositories).
Data Exfiltration: The collected intellectual property, sensitive data, or compromised code is then transferred out of the victim's network to adversary-controlled infrastructure.
Impact & Extortion: The ultimate objectives include intelligence collection, intellectual property theft, and financial gain. eCrime adversaries frequently resort to extortion, often by listing organizations on dedicated leak sites (572 tech organizations observed).

Impact

The technology sector faces severe consequences from these attacks, encompassing significant intelligence collection losses, intellectual property theft, and financial damage. State-sponsored actors, particularly China-nexus groups, aim to steal cutting-edge innovations and AI capabilities, hindering competitive advantage. eCrime groups extensively use extortion, naming 572 technology organizations on leak sites, vastly exceeding other sectors. Supply chain compromises, such as the STARDUST CHOLLIMA compromise of the Axios npm package, can expose millions of downstream users and poison open-source ecosystems, leading to widespread collateral damage and erosion of trust in software components. DPRK-nexus activities also contribute to financial losses through fraudulent employment schemes.

Recommendation

Deploy the Sigma rules in this brief to your SIEM and tune for your environment to detect macOS information stealers and suspicious application activity.
Implement strong multi-factor authentication (MFA) and monitor authentication logs for password spraying attempts, referencing the threat from MURKY PANDA.
Monitor process creation and network connections on macOS endpoints to detect suspicious activity indicative of the macOS information stealer distributed via "OpenClaw-related lures".
Scrutinize software supply chain integrity, including regular audits of npm package dependencies and GitHub repository activity, to mitigate risks highlighted by the STARDUST CHOLLIMA and Glassworm compromises.