Today’s picture
Two items converge tomorrow. Patch Tuesday ships at 10am PST and includes the Secure Boot certificate update ahead of the June 26 expiration date. Microsoft confirms that unupdated devices will continue to boot normally and receive standard Windows updates after June 26, but will lose the ability to receive future Secure Boot protections including revocation lists and mitigations for new boot-level threats. Worth doing, not a crisis. Windows Server requires manual action and does not auto-update like Windows PCs. The CISA KEV deadline for DAEMON Tools, TanStack, and Nx Console also expires tomorrow, June 10, having first appeared in this brief at Issue 46. On the Miasma supply chain worm, OX Security published new analysis over the weekend confirming a perpetual loop mechanism in the attack chain, and the primary exfiltration account liuende501 with 236 staged credential repositories has since been removed by GitHub.
Today’s picture
3 items · 2 deadlines tomorrow
Patch Tuesday tomorrow · Secure Boot final deadline
Miasma · new loop mechanism confirmed
KEV triple expires tomorrow
3 items this issue
TomorrowPatch TuesdaySecure Boot Deadline
June 9 Patch Tuesday carries the Secure Boot certificate update before the June 26 expiration. Unupdated devices will keep booting normally but lose the ability to receive future Secure Boot protections.
Microsoft confirms unupdated devices continue to start and operate normally after June 26. The consequence is forward-looking: without the 2023 certificates, devices cannot receive future Secure Boot database updates, revocation lists, or mitigations for newly discovered boot-level vulnerabilities. Worth doing, not an emergency.
New DetailsMiasmaSupply Chain
OX Security confirms Miasma perpetual loop: worm searches dead-drop commits to retrieve a secondary payload, creating a self-sustaining infection cycle. Exfiltration account removed.
The loop mechanism means remediation is not complete if only the initial package infection is removed. Any machine that ran an affected install may still have the secondary payload active. Audit Claude Code and VS Code configs and rotate all developer credentials if not already done.
TomorrowKEV Triple
CISA supply chain KEV deadline expires tomorrow: DAEMON Tools, TanStack, and Nx Console. Federal agencies must be remediated. Private organisations should be too.
First covered in Issue 46 on May 29. The three items are distinct: update or remove DAEMON Tools, run a software composition analysis covering lock files for TanStack transitive dependencies, and rotate developer credentials from any machine that had the Nx Console compromised version.
Detailed intelligence
Full analysis
01 Tomorrow Patch Tuesday
June 9 Patch Tuesday delivers the Secure Boot certificate update ahead of the June 26 expiration. Devices that miss it keep booting normally but lose forward coverage for boot-level threats.
June 9, 2026 · 10am PST
Microsoft’s own documentation is explicit: unupdated devices will continue to start and operate normally after June 26, and standard Windows updates will continue to install. The consequence is that those devices will no longer be able to receive future Secure Boot database updates, revocation lists, or mitigations for newly discovered boot-level vulnerabilities.
Executive Impact
This is a meaningful security update worth completing before June 26, not an emergency. Most consumer and business PCs manufactured since 2024 already have the 2023 certificates in firmware. For managed enterprise fleets, Windows PCs receive the update automatically through the monthly update process. Windows Server requires manual action. Verify your fleet status and prioritise servers that have not yet received the update.
Don’t Miss
The distinction matters for how you prioritise this. A missed Secure Boot certificate update does not break devices or prevent patching. It means those devices cannot receive new boot-level protections going forward, including revocation of newly discovered vulnerable bootloaders. That is a real degradation in security posture over time, but it is not an emergency today. Windows Server is the more urgent concern because it does not receive the update automatically and requires deliberate manual action, unlike Windows PCs which get it through the standard monthly update process.
CyberSip Take
Apply June Patch Tuesday normally tomorrow. For the Secure Boot certificate specifically, check your Windows Server fleet first since those require manual action and do not auto-update. For Windows PCs, verify the update has been received via the Windows Security app or endpoint management tooling. You have until June 26 and devices keep working if you miss it — but closing the window before the deadline is the right call.
What to do
- Apply June 9 Patch Tuesday to all managed Windows endpoints as normal.
- For Windows Server specifically: apply the Secure Boot certificate update manually before June 26. Server does not receive it automatically unlike Windows PCs.
- Verify Secure Boot certificate status across the managed fleet via the Windows Security app or endpoint management tooling. Microsoft’s playbook at aka.ms/GetSecureBoot has current guidance and detection scripts.
Derived from Help Net Security June Patch Tuesday forecast and Zecurit analysis, June 5–8, 2026.
02 New Details Miasma
Miasma update: OX Security confirms a perpetual loop mechanism. The worm retrieves a secondary payload via dead-drop commits, sustaining itself beyond the initial infection. Exfiltration account removed.
Miasma · OX Security · June 7
New research published over the weekend adds a critical remediation detail: removing the originally infected package is not sufficient if the secondary loop payload has already executed. Any machine that installed an affected package during the compromise window needs a full credential rotation and config audit regardless of whether the package has since been removed.
Executive Impact
If your team ran npm install against any affected Miasma package between June 1 and June 6 and has not yet rotated credentials, the perpetual loop detail makes that rotation more urgent, not less. The secondary payload can persist independently of the original infected package. Rotate all developer credentials, audit Claude Code and VS Code configuration files for injected persistence entries, and check for unexpected outbound connections from developer machines.
Don’t Miss
The removal of the liuende501 exfiltration account, which hosted 236 credential dead-drop repositories, is a meaningful defensive action but does not clean up machines that already exfiltrated credentials to it. The stolen credentials were uploaded before the account was removed. Treat any machine that was affected during the active window as having had its credentials exfiltrated regardless of whether the account that received them is still accessible. The credential rotation requirement does not change because the destination account is gone.
CyberSip Take
The account is gone but the stolen credentials are not. If you have been treating Miasma as resolved because the affected packages were pulled and the exfiltration account was removed, the OX Security loop analysis is the reason to revisit that conclusion. Remediation is complete when credentials are rotated, not when the malicious package is removed from the registry.
New details
OX Security published analysis over the weekend of June 7 revealing an additional stage in the Miasma attack chain that had not been fully documented in earlier reporting. After the initial credential theft and propagation, the worm searches GitHub for commits containing a specific dead-drop string to retrieve a JavaScript file containing an alternative version of the Shai-Hulud worm. This creates a perpetual loop: a machine infected by the primary Miasma payload can re-infect itself and continue exfiltrating credentials independently of whether the original compromised npm package is still installed.
This changes the remediation calculus. Earlier guidance focused on removing affected packages and rotating credentials exposed at install time. The loop mechanism means a machine that ran an affected install and was not immediately isolated may have a secondary persistent payload running independently. Checking Claude Code session configuration files and VS Code tasks.json files for injected entries, as covered in Issue 55, remains the detection mechanism for the developer tool persistence component.
Separately, GitHub has removed the liuende501 account that served as the primary credential exfiltration destination, which hosted 236 repositories containing stolen credentials as encrypted JSON files. The account removal disrupts the exfiltration path for new infections but does not affect credentials already stolen and uploaded prior to removal.
Recommended actions
- If your team ran npm install against affected Miasma packages between June 1 and June 6 and has not yet completed a full credential rotation, do so now. The loop mechanism means removal of the package alone is not remediation.
- Audit Claude Code session configuration files and VS Code tasks.json files on all developer machines for unexpected SessionStart hooks or folderOpen entries not added by your team.
- Check developer machines for unexpected outbound connections to GitHub repositories with naming patterns matching the Miasma dead-drop format (e.g. nemean-hydra-NNNNN or similar).
Derived from OX Security and The Hacker News analysis of Miasma loop mechanism, published June 6–7, 2026.
03 Tomorrow KEV Triple
CISA supply chain KEV deadline expires tomorrow: DAEMON Tools, TanStack, and Nx Console. Three distinct remediations, each with a different completion test.
CVE-2026-8398 · CVE-2026-45321 · CVE-2026-48027
The June 10 federal remediation deadline for the three supply chain CVEs added to KEV on May 27 expires tomorrow. The three items share a deadline but require different remediation actions and have different completion criteria.
Executive Impact
Federal agencies are legally required to remediate by tomorrow. Private organisations face no legal obligation but the same operational risk. If any of the three items remain open, complete them today. Each has a different remediation: an app update, a dependency audit, and a credential rotation respectively.
Don’t Miss
The TanStack remediation is the one most likely to be incomplete. Updating the TanStack package in package.json is not sufficient if lock files or cached CI build artifacts still reference a compromised version. The software composition analysis needs to cover all of: the current package.json, package-lock.json and yarn.lock files, cached npm packages on CI runners, and any Docker or container images built during the compromise window that bundled affected versions as layers. A build pipeline that installs from a cached layer containing a compromised TanStack version is still exposed even if the developer’s local package.json is clean.
CyberSip Take
The KEV deadline is tomorrow. The three items have been in this brief since Issue 46. If they are not yet complete, today is the day. Use the compliance deadline as the forcing function it was designed to be.
Completion criteria for each item
DAEMON Tools CVE-2026-8398: Update to version 12.6 or later, or uninstall entirely. On any machine that installed DAEMON Tools between April and May 2026 from the official site, rotate credentials regardless of whether the version has since been updated. The credential rotation is the remediation, not the software update.
TanStack CVE-2026-45321: Run a software composition analysis covering package.json, lock files, cached CI packages, and any container images built during the compromise window. Confirm no references to the 42 compromised packages across 84 affected versions remain in any active build pipeline or deployed artifact.
Nx Console CVE-2026-48027: Confirm the Nx Console VS Code extension is updated to the patched version. On any developer machine that had the compromised version installed during the May window, rotate GitHub tokens, cloud provider keys, CI/CD secrets, and npm tokens. The extension update closes the future exposure; only the credential rotation closes the past exposure.
Recommended actions
- Complete all three KEV remediations today. The deadline is tomorrow.
- For TanStack, audit lock files and container image layers specifically — not only package.json. Cached build artifacts are the most common gap.
- For Nx Console, confirm credential rotation has happened on all developer machines, not just the extension update. The distinction matters.
Derived from CISA KEV catalog entry dated May 27, 2026, first covered in Issue 46.
Still watching
Aging items · days 2–5
Items here remain operationally relevant but have no significant new developments. They drop off after 7 days.
Cisco SD-WAN CVE-2026-20245 (Issue 56). Seventh zero-day exploited this year, no patch yet. Restrict CLI access to trusted administrators, apply published IOCs to SIEM rules. Patch immediately when released.
Windows Netlogon CVE-2026-41089 CVSS 9.8 (Issue 51). Active exploitation confirmed. Patch from May 12 Patch Tuesday. Any domain controller still unpatched is an active target.
Cross-source standouts
01
Three deadlines, three different kinds of action required, all due tomorrow
Patch Tuesday requires applying updates. The Secure Boot dbx update within it requires testing before deploying. The CISA KEV triple requires three distinct remediations: a software update, a dependency audit including lock files and container image layers, and a credential rotation. They share a date but have nothing else in common. Organisations that treat all three as a single “apply updates” task will complete the easiest one and leave the harder two incomplete. The TanStack lock file audit and the Nx Console credential rotation are the two items most likely to be missed because they require work beyond updating a package version number.
02
Removing a malicious package does not constitute remediation
Miasma’s perpetual loop mechanism is the clearest example this brief has documented of why package removal is the starting point of remediation, not the endpoint. The TanStack remediation has the same structural problem: a clean package.json does not mean a clean build pipeline if lock files or CI cache layers still reference a compromised version. The Nx Console remediation has it too: updating the extension does not revoke credentials that were exposed during the window it was installed. The consistent pattern across all three supply chain items this week is that the visible artifact can be cleaned while the actual exposure, stolen credentials or a persistent secondary payload, remains active. Remediation is complete when the exposure is closed, not when the artifact is removed.