A CVSS 10.0 authentication bypass in cPanel & WHM has been under active exploitation since February — two full months before the public PoC dropped this week. That is not a disclosure timeline; that is a head start for threat actors against one of the most widely deployed hosting control panels on the internet.

In the News

cPanel Auth Bypass (CVE-2026-41940) Exploited as Zero-Day Since February

CVE-2026-41940 is an authentication bypass in cPanel & WHM that allows an unauthenticated remote attacker to gain full administrative access to the hosting control panel. The CVSS score is 10.0 — the maximum — reflecting the combination of no authentication required, remote exploitability, and complete system compromise.

Attackers have been exploiting this vulnerability in the wild since late February 2026. The timeline matters: organizations that did not update cPanel during the zero-day window should assume compromise and audit for unauthorized administrative accounts, modified configurations, and webshells deployed in hosted sites. This is not hypothetical — exploitation predates the patch.

A public proof-of-concept was released this week, which collapses the exploitation barrier from “resourced threat actor” to “anyone who can follow a GitHub README.” The install base is massive: cPanel powers shared hosting, reseller hosting, and managed WordPress infrastructure across hundreds of thousands of servers globally.

What defenders should do: Update cPanel & WHM immediately. Audit administrative account lists for accounts created after February 2026. Review access logs for unauthenticated requests to the administrative API endpoints. Deploy web application firewall rules to block known PoC request patterns while patching completes. If you rely on a hosting provider, confirm their patch status directly.

SAP npm Packages Compromised in TeamPCP Supply-Chain Attack

Official SAP packages published on the npm registry were backdoored to steal developer credentials. The campaign, tracked as TeamPCP, inserted credential-harvesting code into packages that enterprise development teams use for SAP integration projects. When developers installed or updated the compromised packages, post-install scripts exfiltrated credentials to attacker-controlled infrastructure.

This is a trusted-source supply-chain attack — the same class as the ua-parser-js and event-stream incidents, but targeting enterprise SAP ecosystems specifically. The attack surface is large: most enterprises with SAP landscapes have development teams consuming npm packages for UI5, Cloud SDK, or custom integration modules.

The mechanism is straightforward. npm packages execute arbitrary code during installation via preinstall and postinstall hooks. The TeamPCP attack leveraged these hooks to run credential-harvesting scripts that targeted local credential stores, environment variables, and CI/CD pipeline secrets.

What defenders should do: Audit npm dependency trees in SAP-related projects for unexpected versions or newly added post-install scripts. Implement software composition analysis in CI/CD pipelines. Use lockfiles (package-lock.json) and enable npm audit. Monitor outbound network connections from build servers for connections to newly registered or low-reputation domains. Rotate credentials for any developer or service account that installed the affected packages.

Linux ‘Copy Fail’ (CVE-2026-31431) Enables Root With 4 Controlled Bytes

CVE-2026-31431 is a logic flaw in the Linux kernel’s authencesn cryptographic template — a component of the kernel’s crypto subsystem. The flaw has existed since 2017. An unprivileged local user can write 4 controlled bytes into any readable file’s page cache, and this page-cache corruption primitive can be escalated to full root access.

The attack mechanism exploits a boundary check failure in the authencesn template. By crafting specific cryptographic operations, an attacker triggers a copy operation that writes 4 bytes beyond the intended buffer — directly into the page cache of a target file. From there, the attacker modifies critical system files (such as /etc/passwd or shared library files mapped into privileged processes) to escalate privileges.

Every major Linux distribution — Red Hat, Ubuntu, Debian, SUSE, Fedora, Arch — is affected. Kernel patches are shipping from upstream and distribution maintainers, but the install base is enormous, and many organizations run kernel versions that lag behind upstream by months or years.

What defenders should do: Prioritize kernel updates on internet-facing servers, multi-tenant systems, and any host where unprivileged users have shell access. For systems where immediate patching is not possible, monitor for anomalous use of the kernel crypto API from unprivileged processes. Segment critical Linux workloads to limit lateral movement from any host where local privilege escalation succeeds. The MITRE ATT&CK technique is T1068 — Exploitation for Privilege Escalation.

GitHub RCE (CVE-2026-3854) Exposed Millions of Private Repositories

CVE-2026-3854 is a remote code execution vulnerability in GitHub.com and GitHub Enterprise Server. A malicious git push payload could trigger arbitrary code execution on the server side, potentially granting access to private repositories across the platform. The CVSS score is 9.0.

GitHub patched GitHub.com in early March 2026, but this is the first public disclosure of the vulnerability. Self-hosted GitHub Enterprise Server instances that have not applied the March update remain vulnerable. Given the typical patch cadence for self-hosted git infrastructure in enterprises, delayed patching is likely widespread.

The disclosure timeline is worth noting: GitHub silently patched in March, and public details are only surfacing now in late April. Organizations that track GitHub Enterprise Server updates as a routine maintenance item — rather than a security-critical patch — may not have prioritized the March release.

What defenders should do: Verify that GitHub Enterprise Server instances are running the March 2026 update or later. Audit git push logs for anomalous payloads or unexpected source IPs since January 2026. Restrict push access to repositories using branch protection rules and require signed commits where feasible. For GitHub.com customers, no action is required — the fix is server-side.

Today’s Deep Dive — Supply-Chain Attacks Are Accelerating: SAP, WordPress, and DPRK npm Campaigns

Three supply-chain stories landed in the same 48-hour window this week, and the pattern deserves attention beyond any single incident.

The SAP npm backdoor (TeamPCP) compromised official packages on a trusted registry to harvest developer credentials. The WordPress Quick Page/Post Redirect plugin was discovered to have contained a dormant backdoor since 2021 — five years of silent access across 70,000+ sites. And DPRK threat actors are now using AI-generated code to scale npm package poisoning through fake company campaigns, with reports indicating that AI tools were used to insert malicious dependencies into seemingly legitimate packages.

The common thread is trust exploitation. None of these attacks required a zero-day exploit or a sophisticated intrusion chain. They required an attacker to place malicious code where defenders already trust it — inside an official npm package, inside a WordPress plugin with years of history, inside a dependency tree that CI/CD pipelines pull without human review.

The defensive controls that matter here are not perimeter defenses. They are:

  1. Software composition analysis (SCA) — automated scanning of dependency trees for known-compromised packages, unexpected post-install hooks, and version anomalies.
  2. Lockfile enforcement — ensuring that package-lock.json, yarn.lock, or equivalent files are committed, reviewed, and enforced in CI/CD. A lockfile pins the exact version and integrity hash of every dependency.
  3. Build-server network monitoring — build servers should have tightly constrained egress. Any outbound connection to a newly registered domain or non-standard port from a build pipeline is a high-fidelity detection signal.
  4. SBOM generation and review — Software Bills of Materials are not just compliance artifacts. They are the mechanism by which you discover that a five-year-old WordPress plugin introduced a backdoor you never audited.

The MITRE ATT&CK mapping is T1195.002 — Supply Chain Compromise: Compromise Software Supply Chain. The DPRK campaign additionally maps to T1583.001 (Acquire Infrastructure: Domains) and T1588.001 (Obtain Capabilities: Malware) given the use of AI tooling to generate the malicious code.

For practitioners operating enterprise environments with SAP integrations, WordPress properties, or active Node.js development: audit your dependency trees this week. The five-year dormant backdoor in the WordPress plugin is the clearest possible evidence that supply-chain compromises are not always loud, fast, or detectable at the moment of insertion. Some are designed to wait.

Detection Spotlight

The SAP npm supply-chain attack and DPRK campaigns both rely on npm post-install hooks to execute credential-harvesting scripts. The following Splunk SPL query detects anomalous outbound network connections from hosts running npm install — a high-fidelity signal for supply-chain compromise via malicious post-install scripts:

index=sysmon sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3
| where like(ParentImage, "%node.exe") OR like(ParentImage, "%npm%")
| where NOT cidrmatch("10.0.0.0/8", DestinationIp)
  AND NOT cidrmatch("172.16.0.0/12", DestinationIp)
  AND NOT cidrmatch("192.168.0.0/16", DestinationIp)
| stats count dc(DestinationIp) as unique_dests values(DestinationIp) as dest_ips values(DestinationPort) as dest_ports by Computer ParentImage Image
| where unique_dests > 2 OR dest_ports != "443"
| sort - count

This query identifies outbound connections initiated by Node.js/npm processes to non-RFC1918 addresses. Legitimate npm operations connect to registry.npmjs.org (and CDN endpoints) over port 443. Connections to other destinations — especially on non-standard ports or to multiple unique IPs — indicate post-install scripts reaching out to attacker infrastructure. Tune the cidrmatch exclusions to include your internal network ranges and npm registry mirror IPs if applicable. False positive rate is low in environments where build servers have constrained egress policies.

For Linux environments, the equivalent detection uses auditd or Sysmon for Linux to monitor network connections spawned by node or npm parent processes.

References

Subscribe to the it-learn Brief

Get the daily cybersecurity brief in your inbox every weekday morning — news, SE angles, and detection queries.