"This week, the shadows moved faster than the patches." — The Hacker News
CVE-2026-41940: cPanel and WHM under active exploitation
A critical authentication-bypass vulnerability in cPanel and WebHost Manager, tracked as CVE-2026-41940, is being actively exploited in the wild. The attacks have ranged from complete wipes of websites and backups to deployments of Mirai botnet variants and a ransomware strain called Sorry. The nature of the exploitation — remote attackers gaining elevated control of the control panel — has translated into destructive outcomes for some victims rather than simple data theft.
Copy Fail (CVE-2026-31431): a trivial, reliable Linux privilege escalation
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-31431, nicknamed "Copy Fail," to its Known Exploited Vulnerabilities catalog after evidence of active exploitation. Theori and Xint trace the bug to a sequence of routine kernel updates, including a 2017 change intended to speed data encryption. The flaw is a logic bug in the Linux kernel's authentication cryptographic template and, unusually for a local privilege escalation, can be triggered reliably by a 732‑byte Python-based exploit. According to reporting, Copy Fail works 100% of the time, leaves no traces on disk because it operates in memory, and enables container escape from any pod in a Kubernetes cluster — a potent threat to cloud-native deployments.
Supply chain sabotage and GitHub RCE: TeamPCP, Shai‑Hulud tactics, and CVE-2026-3854
TeamPCP continued a broad supply-chain campaign, compromising packages across npm, PyPI, and Packagist and weaponizing CI/CD pipelines to push poisoned versions under legitimate identities. The campaign has touched projects including Trivy and Checkmarx's KICS. Amit Genkin of Upwind warned this represents a shift: compromised pipelines are being used to spread to the next pipeline, turning credential theft into a scaling problem and making detection harder. He urged teams to check affected versions and rotate credentials tied to pipelines, especially GitHub and cloud tokens, and to reduce how broadly pipeline credentials are scoped.
Separately, researchers at Wiz disclosed a critical vulnerability in GitHub.com and GitHub Enterprise Server (CVE-2026-3854, CVSS 8.7) that could allow an authenticated user to obtain remote code execution with a single "git push" command. Microsoft rolled out a patch within six days of responsible disclosure. A Wiz spokesperson told The Hacker News that exploitation could expose the codebases of "nearly all of the world's biggest enterprises," calling it one of the most severe SaaS vulnerabilities ever found.
Vishing, AI-augmented phishing kits, and mobile surveillance on the clear web
Cordial Spider and Snarky Spider are using voice calls, text messages, and emails to direct targeted employees to phishing pages that mimic legitimate single sign-on portals, according to CrowdStrike. The actors use vishing to bypass multi-factor authentication, set up MFA devices under attacker control, and delete emails that would alert organizations to malicious activity. CrowdStrike noted these actors mask their tracks with residential proxy networks and operate almost within SaaS environments.
Crimeware is also professionalizing. Bluekit, a new phishing kit, offers more than 40 templates and an AI Assistant panel that supports multiple models — Llama, GPT-4.1, Claude, Gemini, and DeepSeek — to help criminals draft phishing emails. On the mobile front, a tool called KidsProtect is openly advertised on the clear web and, per Certo, allows an operator near-total secret control of a victim’s Android phone; it is available on subscription starting at $60. New Android malware strains such as KYCShadow and other remote-access toolkits continue to be distributed through WhatsApp and other channels, combining phishing, C2 persistence, and native code obfuscation.
What this means for technologists, open-source maintainers, and end users
- Technologists and security teams: Prioritize patching the CVEs flagged as trending (notably CVE-2026-41940 and CVE-2026-31431), audit pipeline credentials and rotation practices, and add visibility into installs and builds — steps explicitly recommended by Upwind's Amit Genkin.
- Open-source maintainers and CI/CD owners: Investigate pipeline compromises, rotate any tokens that pipelines may have used, limit credential scope, and treat legitimate-looking commits and pushes as possible vectors for poison if the pipeline identity was compromised.
- End users and administrators of SaaS: Expect vishing campaigns that aim to bypass MFA and be vigilant about unexpected requests to re-register authentication devices; consider the opt-in protections being offered by platforms — for example, OpenAI's Advanced Account Security — and harden account recovery and session visibility where available.
The week's pattern is clear: attackers are moving from single-shot breaches to occupation and scale, living inside sessions, abusing trusted pipelines, and weaponizing legitimate services. Small habits now will save major headaches later — patch urgently, rotate and narrow pipeline credentials, and treat every routine login or pipeline run as potentially hostile.
