EXECUTIVE SUMMARY
This article is to inform our partners and clients on the various happenings within the cybersecurity space. That includes items such as relevant breaches, emerging vulnerabilities, research, threat actor movement, and what you need to do as an organization to mitigate a future threat.
KEY TAKEAWAYS
- SAP-related npm packages have been targeted in the Shai-Hulud supply chain attack to distribute malicious code.
- A critical vulnerability in cPanel and WHM is being actively exploited in the wild, with a public proof-of-concept now available.
- GlassWorm supply chain attacks have been linked to cloned extensions hosted on the Open VSX marketplace.
- LAPSUS$ hackers have leaked data from Checkmarx, with possible connections to Team PCP and Shai-Hulud campaigns.
- A Linux local privilege escalation vulnerability dubbed “CopyFail” affects most major distributions and enables attackers to gain root access.
1. SAP npm Packages Targeted in Shai-Hulud Supply Chain Attack
SUMMARY
A supply chain attack called Mini Shai-Hulud injected malicious code into four SAP npm packages, targeting credentials and cloud secrets. The attack may affect any organization using SAP CAP or MTA-based deployment pipelines.
Category
Supply Chain Risk
Industry
Technology, Manufacturing, Logistics and Shipping
Sources
https://www.securityweek.com/sap-npm-packages-targeted-in-supply-chain-attack/
https://semgrep.dev/blog/2026/malicious-dependency-in-pytorch-lightning-used-for-ai-training/
https://socket.dev/blog/malicious-ruby-gems-and-go-modules-steal-secrets-poison-ci
Internal OSec Research
ANALYST COMMENTS
A supply chain attack named Mini Shai-Hulud compromised four SAP npm packages. Based on social media postings, the compromise was likely due to a misconfigured CircleCI job resulting in npm token exposure. The affected packages include:
- mbt 1.2.48,
- cap-js/db-service 2.10.1,
- cap-js/postgres 2.2.2,
- cap-js/sqlite 2.2.2
The malicious code included a preinstall script that fetched and executed a Bun binary from a GitHub repository with the goal of stealing local credentials and cloud secrets. Stolen data was exfiltrated through public GitHub repositories with a specific description. The compromised packages were available for 2-4 hours before being unpublished and replaced with clean versions. Based on shared encryption keys and observed behaviors, the campaign has been attributed to TeamPCP.
As of this document, over 2,400 GitHub repositories have been identified that match the signature of this campaign. The repos all exhibit consistent hallmarks including similar commit messages, the string “A Mini Shai-Hulud has Appeared”, or the commit message "OhNoWhatsGoingOnWithGitHub" followed by a ransom style alphanumeric string. The Pytorch Lightning package has also been compromised, specifically versions 2.6.2 and 2.6.3. Additional package ecosystems have also been affected, including Ruby and Go environments associated with the GitHub account “BufferZoneCorp”. The python version injects code into __init__.py to execute a Python script named start.py, which installs the Bun loader and the primary 11MB payload execution.js. For the npm versions, the package.json file is modified to include a preinstall hook referencing setup.mjs and a new file added to the package called execution.js.
# Loader filenames typically added into package.json
setup.mjs - 4066781fa830224c8bbcc3aa005a396657f9c8f9016f9a64ad44a9d7f5f45e34
execution.js -
mbt version = 80a3d2877813968ef847ae73b5eeeb70b9435254e74d7f07d8cf4057f0a710ac
cap-js/sqlite version = 6f933d00b7d05678eb43c90963a80b8947c4ae6830182f89df31da9f568fea95Compromised repositories will include Dune related references in newly created repository names.
The compromised repositories on GitHub are the primary exfiltration point of the malware, therefore the actor has no need to rely on infrastructure beyond the code hosting platform. The stolen credentials and information are encrypted at rest on the compromised repositories.
This campaign is the latest example of supply chain attacks that abuse repository automation and LLM assisted workflows within code repositories and package ecosystems. Given the variety of programming languages, delivery methods, and code modifications observed, it is highly likely that the group is using LLM generated code within portions of their pipeline in order to quickly pivot certain aspects of their campaign. However, the primary infection vector continues to stem from misconfigured automation in CI/CD pipelines and leakage or theft of secrets, tokens, or credentials that are then re-used to compromise additional packages and repositories. These incidents should prompt organizations to review policies, automation controls, and secret management practices to ensure sensitive authentication material is not exposed. This is especially important within shared open source ecosystems where a single compromise can produce significant downstream supply chain impacts across dependent projects and organizations.
ACTIONABLE GUIDANCE
Organizations using any of the affected packages should audit their development projects for the presence of the vulnerable versions noted above. Package maintainers should audit their configurations to ensure their automation controls are properly hardened and monitor for unexpected package modifications, including the addition of unknown code, dependencies, or install scripts references. If compromise is suspected, known indicators include the creation of unknown Dune-themed repositories for the compromised account and the presence of files named results/results-<timestamp>-<counter >.json file containing encrypted content. If malicious packages are identified, they should be immediately removed from the affected environment. All potentially exposed credentials and secrets should be rotated after the compromised packages and associated persistence items have been removed.
As a longer term mitigation strategy, organizations should enforce and maintain an SBOM for dependencies and consider maintaining an internally managed package repository to reduce exposure to third party supply chain compromise and downstream credential or key theft.
2. Critical cPanel and WHM Bug Exploited in the Wild and POC Disclosed Publicly
SUMMARY
Hackers have been exploiting a critical authentication bypass vulnerability (CVE-2026-41940) in cPanel & WHM (Web Hosted Mail) for several months. The vulnerability allows unauthenticated attackers to gain full administrative control over affected servers.
Category
Known Exploited Vulnerabilities
Industry
Technology, Telecommunications
Sources
https://www.securityweek.com/critical-cPanel-whm-vulnerability-exploited-as-zero-day-for-months/
https://thehackernews.com/2026/04/critical-cPanel-authentication.html
ANALYST COMMENTS
Hackers have been exploiting a critical authentication bypass vulnerability tracked as CVE-2026-41940 in cPanel & WHM for several months. If successfully exploited, it allows unauthenticated attackers to gain full administrative control over affected servers. The flaw poses a severe risk of system compromise and data exposure, with approximately 1.5 million internet-accessible cPanel instances potentially exposed to attack. While the vulnerability was disclosed on April 28, 2026, hosting providers reported that exploitation in the wild began as early as February 23, 2026. To remediate this issue, cPanel has released patches for multiple software versions and strongly recommends administrators to update their systems immediately.
The flaw stems from improper session handling and insufficient input validation, specifically CRLF injection. This ultimately allows an attacker to manipulate session data before the login process completes, effectively creating an authenticated administrator session. Public research and PoC code is now available and has likely contributed to broad exploitation of cPanel and WHM systems since the disclosure. Exploitation attempts generate identifiable log artifacts that can be reviewed during investigations.
However, cPanel and WHM remain attractive targets for threat actors due to their potential use in broader campaigns and as sources of credential and identity related data. As a result, organizations should prioritize short term monitoring and defensive review activities, particularly as our internal honeypot data continues to show increased interest and reconnaissance activity targeting cPanel infrastructure.
ACTIONABLE GUIDANCE
A patch is currently available to remediate this vulnerability. If compromise is suspected, organizations should audit their logs for previously noted forensic artifacts that may indicate exploitation activity. The vendor has also released a detection script to help identify potential exploitation associated with this vulnerability.
3. GlassWorm Supply Chain Attacks Linked to Open VSX Extension Clones
SUMMARY
GlassWorm malware, first identified in October 2025, has resurfaced through 73 suspicious Open VSX extensions impersonating legitimate packages. The campaign appears designed to deliver malware through future updates while using social engineering and diverse delivery mechanisms to evade detection.
Category
Supply Chain Risk
Industry
Technology, Multiple
Sources
https://www.securityweek.com/dozens-of-open-vsx-extension-clones-linked-to-GlassWorm-malware/
https://socket.dev/blog/73-open-vsx-sleeper-extensions-GlassWorm
https://www.darkreading.com/cyberattacks-data-breaches/GlassWorm-returns-vs-code-extensions
https://socket.dev/blog/GlassWorm-sleeper-extensions-activated-on-open-vsx
ANALYST COMMENTS
Researchers report that over 70 extensions published in April on the Open VSX marketplace are potential sleeper extensions linked to the GlassWorm malware campaign. First identified in October 2025, GlassWorm used Unicode variation selectors to hide malicious code and leveraged the Solana blockchain for command and control (C2) operations. The newly identified extensions mimic popular packages through similar icons, names, and descriptions while being published under different accounts. The extensions appear intended to deliver malware through later updates, with at least six already confirmed as activated. The malware delivery methods combine bundled native binaries and remote payload retrieval to distribute functionality across multiple components and improve evasion capabilities.
Additionally, the malware aligns with past reports suggesting a likely Russian threat actor. This assessment is supported by locale and timezone checks that align with the region. Consistent with prior activity, the malware favors infrastructure associated with VULTR related datacenter IPs (AS20473 the constant company llc).
The malware has shown variation between resurgences and is likely to change in the coming weeks. However, the IP infrastructure and the heavy use of Solana has remained consistent.
ACTIONABLE GUIDANCE
Blocking the previously identified IP addresses may help reduce the risk of compromise associated with this malware, while monitoring for unexpected connections to Solana related endpoints may help identify potential malicious activity or indicators of compromise. Organizations should also maintain an accurate SBOM to inventory packages and versions used across development projects. A further recommendation is to maintain internally managed repositories for approved packages and development tools to reduce exposure to malicious extensions, packages, and other supply-chain related threats. Campaigns targeting software supply-chains continue to increase in popularity among threat actors, with at least three major package ecosystem campaigns currently impacting multiple development environments.
4. LAPSUS$ Hackers Leaked Checkmarx Data, Potential Link with Team PCP and Shai-Hulud
SUMMARY
Checkmarx confirmed that the LAPSUS$ threat group leaked data from its private GitHub repository, likely gained through a previous Trivy supply-chain attack by TeamPCP. This has resulted in the publication of malicious code and Docker images that stole credentials and other sensitive information.
Category
Threat Actor Activities
Industry
Technology, Financial and Fintech, Public Sector and Government Administration
Sources
https://checkmarx.com/blog/checkmarx-security-update-april-26/
https://socket.dev/blog/checkmarx-supply-chain-compromise
Internal OSec Research
ANALYST COMMENTS
The LAPSUS$ threat group leaked data stolen from Checkmarx's private GitHub repository, initially gaining access through the Trivy supply-chain attack attributed to TeamPCP. Using stolen credentials from the Trivy incident, the attackers published malicious code on March 23rd and on April 22nd released malicious Docker images and extensions that could steal credentials and config files. While the leaked data is available on the dark web and clearnet portals, Checkmarx asserts that it does not contain customer information and is working with forensic experts to identify the exact type of data exposed. Access to the compromised GitHub repository has been blocked.
According to other reports, the campaign is still using the domain audit.checkmarx[.]cx for exfiltration activities. However, our current research indicates that the domain no longer resolves, suggesting that the threat actors may have changed their exfiltration infrastructure or delivery methods. The following indicators are provided to assist with identifying potential past compromise activity:
# Tokens and secrets are compressed before being sent over HTTPS
https://audit.checkmarx[.]cx/v1/telemetry
94[.]154[.]172[.]43 _ IPv4 resolution of the above addressThe use of Shai-Hulud naming conventions in compromised repositories also points to collaboration with TeamPCP, likely having the two campaigns feed each other for infostealer activities. The retirement of previously observed infrastructure, combined with the adoption of Shai-Hulud related tactics, may indicate the campaign is shifting toward GitHub based exfiltration methods or potentially being integrated into the broader Shai-Hulud campaign.
Based on reports, the following packages and docker versions are affected:
# Open VSX/ VS Code extensions
checkmarx/cx-dev-assist@1.19.0
checkmarx/cx-dev-assist@1.17.0
checkmarx/ast-results@2.66.0
checkmarx/ast-results@2.63.0
# Docker images
pkg:docker/checkmarx/kics@alpine?platform=linux%2Famd64
pkg:docker/checkmarx/kics@v2.1.20?platform=linux%2Famd64
pkg:docker/checkmarx/kics@v2.1.21?platform=linux%2Famd64
pkg:docker/checkmarx/kics@alpine?platform=linux%2Farm64
pkg:docker/checkmarx/kics@v2.1.20?platform=linux%2Farm64
pkg:docker/checkmarx/kics@v2.1.21?platform=linux%2Farm64
pkg:docker/checkmarx/kics@debian?platform=linux%2Famd64
pkg:docker/checkmarx/kics@v2.1.20-debian?platform=linux%2Famd64
pkg:docker/checkmarx/kics@v2.1.21-debian?platform=linux%2Famd64
pkg:docker/checkmarx/kics@debian?platform=linux%2Farm64
pkg:docker/checkmarx/kics@v2.1.20-debian?platform=linux%2Farm64
pkg:docker/checkmarx/kics@v2.1.21-debian?platform=linux%2Farm64
pkg:docker/checkmarx/kics@latest?platform=linux%2Famd64
pkg:docker/checkmarx/kics@latest?platform=linux%2Farm64
mcpAddon.js (malicious) - 24680027afadea90c7c713821e214b15cb6c922e67ac01109fb1edb3ee4741d9
Modified Kics ELF binary - 2a6a35f06118ff7d61bfd36a5788557b695095e7c9a609b4a01956883f146f50The use of mcpAddOn.js is similar to artifacts previously observed in the reported Bitwarden compromise. The campaign has made use of the string "LongLiveTheResistanceAgainstMachines" during malicious commits. However, no recent commits containing the string were identified during our research, suggesting the threat actor had likely retired its use. The commit structure of message_string:<string of random alphanumerics> also aligns with the Shai-Hulud campaign when malicious commits are used.
ACTIONABLE GUIDANCE
Organizations should review development environments to determine whether the affected Docker container versions or packages have been installed and promptly remove any identified malicious components. Following remediation, all credentials, tokens, and secrets should be rotated, including those associated with affected filesystems, cloud environments, and code repositories.
Compromised repositories will exhibit Shai-Hulud-like repository creation patterns, typically using Dune themed naming conventions. While the campaign has previously used dedicated infrastructure for exfiltration, it is likely that they are using GitHub pushes for primary exfiltration and will do so in the future. As a result, GitHub activity should be audited for unauthorized commits, repository creation, or unexpected push activity.
To reduce long term supply chain risk, organizations should maintain an accurate and auditable SBOM for packages used within development projects. This helps reduce exposure to external supply chain threats and minimizes the risk of credential or secret theft across the environment.
5. “CopyFail” Linux LPE Affect Most Major Distros
SUMMARY
A local privilege escalation vulnerability named "Copy Fail" (CVE-2026-31431) impacting Linux kernels since 2017 allows unprivileged users to gain root access through a logic bug in the kernel's cryptographic template. This issue has been fixed by reverting an "in-place" optimization introduced in 2017.
Category
Known Exploited Vulnerabilities
Industry
Multiple (Cloud environments are at an increased risk)
Sources
ANALYST COMMENTS
An exploit named "Copy Fail" (CVE-2026-31431) has been published for a local privilege escalation vulnerability affecting Linux kernels dating back to 2017. The vulnerability allows unprivileged local attackers to gain root access and was reportedly discovered by researchers using their AI-driven platform Xint Code. Technical details along with a proof-of-concept exploit have been made public. The flaw stems from a logic bug in the kernel's cryptographic template, allowing a controlled 4-byte write in the page cache of any readable file, altering setuid-root binaries in memory (which bypasses file integrity checks).
The likelihood of threat actors weaponizing this vulnerability in the short term is high, likely having already integrated the privilege escalation vulnerability into attack chains at the time of this reporting. The published proof-of-concept demonstrates that the vulnerability can be exploited with a single command string leveraging common utilities such as curl, python, and su, significantly lowering the barrier to exploitation.
The exploit can also be copied from the site and altered for later use and will likely be done so by threat actors in order to add features and potential evasion tactics in a fully weaponized package. This has a high likelihood of being used against environments with significant web applications or cloud assets. Exploitation may also occur during post compromise activity following the deployment of webshells on commonly targeted platforms such as cPanel or WordPress. The published exploit was reportedly tested against the following Linux distributions:
- Ubuntu 24.04
- Amazon Linux 2023
- RHEL 10.x
- Suse 16
Cloud hosted Linux environments are likely to be priority targets, including deployments within Kubernetes and Docker based clusters.
ACTIONABLE GUIDANCE
Organizations should apply the latest kernel updates to affected Linux distributions as soon as possible. As a temporary mitigation, disabling the algif_aead module is recommended for environments that cannot update kernels immediately. If compromise is suspected, look for abnormal user behavior such as unexpected privilege escalation events associated with previously unprivileged accounts. Auditd monitoring is recommended to detect AF_ALG socket calls that may indicate exploitation, especially when correlated with sudden user privilege elevation to root.
Get the Complete Report
The full Intelligence Desk brief includes exhaustive IOC lists, YARA detection rules, detailed remediation playbooks, and OSec's original threat research. Delivered weekly to our partners and clients. REQUEST ACCESS