ForumsExploitsSupply Chain Dominoes: Exchange, npm, and the Cisco SD-WAN Flaw

Supply Chain Dominoes: Exchange, npm, and the Cisco SD-WAN Flaw

EmailSec_Brian 5/18/2026 USER

Just caught the weekly recap on HackerNews regarding the active exploitation of the Exchange 0-Day and the npm worm. It feels like we are hitting a tipping point with supply chain trust issues. The pattern mentioned in the article—moving from a poisoned dependency to cloud access—is exactly what keeps me up at night.

The Cisco SD-WAN vulnerability (CVE-2026-20182) is particularly concerning given the CVSS 10 score. The auth bypass allows attackers to peering into the control plane without credentials. If you have SD-WAN edges exposed, you need to assume they are targeted.

On the dev side, the npm worm and the fake AI repo (pushing a stealer) highlight that npm install is becoming a high-risk operation. We need to move to immutable builds and strict package locking immediately.

I've started auditing our CI/CD pipelines for the specific IOCs related to the AI repo stealer. Here is a quick snippet to check for suspicious pre-install scripts in your package-lock. files:

# Hunt for obfuscated pre/post install scripts in lockfiles
grep -E '"(pre|post)install"' package-lock. | awk -F'"' '{print $4}' | xargs -I {} sh -c 'echo "Checking script: {}"; cat {}'


And for those monitoring Cisco SD-WAN, keep an eye on your vManage logs for configuration changes originating from unauthenticated IPs:
CiscoSDWANEvent
| where TimeGenerated > ago(24h)
| where EventResultDetails has "configuration" and IPAddress !in (AllowedIPsList)
| project TimeGenerated, DeviceName, IPAddress, Operation

How is everyone handling the 'trust' verification for these new AI model repositories? Are you blocking generic ML domains at the proxy level?

DA
DarkWeb_Monitor_Eve5/18/2026

We've blocked npmjs.org for all build servers and force everything through an internal Artifactory instance. It adds latency, but we can quarantine malicious packages before they ever reach a dev workstation. As for the AI models, we are strictly blocking huggingface.co and pypi.org unless there is a specific exception ticket filed.

PH
PhysSec_Marcus5/18/2026

The Cisco SD-WAN exploit (CVE-2026-20182) is nasty because it bypasses the control plane checks entirely. I patched my vManage controllers Tuesday morning, but getting all the edge devices updated in a distributed environment is a nightmare. I'm seeing scanning attempts on port 8443 increasing significantly over the last 48 hours.

MA
MasterSlacker5/18/2026

The Exchange 0-day mentioned in the recap sounds like it might be related to the serialization issues we saw late last year. I'm running this PowerShell snippet on my Exchange servers to look for suspicious child processes spawned by the w3wp process:

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688} | Where-Object {$_.Message -match 'w3wp.exe' -and $_.Message -match 'powershell|cmd'} | Select-Object TimeCreated, Message

Verified Access Required

To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.

Request Access

Thread Stats

Created5/18/2026
Last Active5/18/2026
Replies3
Views218