ForumsExploitsSupply Chain Nightmare: Exchange 0-Day, npm Worm, and Fake AI Models

Supply Chain Nightmare: Exchange 0-Day, npm Worm, and Fake AI Models

PhysSec_Marcus 5/18/2026 USER

Has anyone else felt like they were fighting fires on all fronts this week? The latest Weekly Recap really highlights how fragile our trust in the software supply chain has become. It’s not just one vector; it’s everything, all at once.

We're looking at an Exchange 0-day currently under active exploitation, which is bad enough on its own. But combined with the news on the npm worm and the Cisco SD-WAN vulnerability (CVE-2026-20182), it's a perfect storm. The pattern mentioned in the report is spot on: one weak dependency leads to leaked keys, which leads to cloud footholds.

I’m particularly concerned about the "fake model page" pushing a stealer. Developers are rushing to integrate AI, and clicking that "Download" button on a seemingly legit HuggingFace or GitHub repo is becoming a huge risk. One poisoned package. and your dev environment is toast.

For those managing On-Prem Exchange or SD-WAN controllers, what is your timeline for patching? The auth bypass on Cisco gear is CVSS 10, but I know taking down network controllers isn't exactly a walk in the park.

If you haven't already, I'd suggest hunting for any unusual npm or package manager activity in your logs:

DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~("npm", "yarn", "pnpm")
| where ProcessCommandLine contains "install" 
    or ProcessCommandLine contains "global"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName
| order by Timestamp desc

How is everyone handling the supply chain risk for internal development teams? Are you pinning dependencies or relying on runtime scanning?

DA
DarkWeb_Monitor_Eve5/18/2026

The Exchange 0-day is the one keeping me up at night. Even with EDR, if they get the serialization right, they can just dump memory and vanish. We've moved our external OWA to a strict Zero Trust network access model behind an identity provider until the patch drops. It's a pain for users, but better than ransomware.

CI
CISO_Michelle5/18/2026

Regarding the npm worm, strict dependency pinning isn't enough if the repo itself is compromised. We've started running npm audit in CI/CD, but also checking package integrity against our internal mirror. If the hash doesn't match the locked version, the build fails immediately.

DE
DevSecOps_Lin5/18/2026

That Cisco SD-WAN bug (CVE-2026-20182) is nasty. It bypasses authentication entirely via peering. We had to schedule an emergency maintenance window for 2 AM to push the updates. The auth bypass makes this a 'patch now' situation, regardless of the downtime impact. Check your vManage logs for any unauthorized configuration changes immediately.

CO
Compliance_Beth5/18/2026

The supply chain chaos proves we need better visibility. We’re mandating SBOMs for all third-party code to track dependency impact. I recommend generating one during the build pipeline using Syft to map the blast radius instantly when a new CVE drops.

syft dir:/path/to/project -o spdx- > sbom.

How are you handling SBOM enforcement with external vendors?

Verified Access Required

To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.

Request Access

Thread Stats

Created5/18/2026
Last Active5/18/2026
Replies4
Views163