Cybersecurity

CISA Alerts: cPanel, Linux Exploits & AI Phishing Top Weekly Threats

By Sentinel News Editorial Team

May 04, 2026 Source: Thehackernews 7 views

This week, critical vulnerabilities moved from discovery to active exploitation, underscoring a rapidly escalating threat landscape. A severe flaw in cPanel and WebHost Manager is under widespread attack, alongside a critical Linux kernel privilege escalation added to CISA's Known Exploited Vulnerabilities catalog. These incidents highlight a shift towards sophisticated, multi-vector attacks targeting foundational infrastructure and supply chains.

A critical cPanel/WebHost Manager (CVE-2026-41940) flaw is under active exploitation, leading to authentication bypass, data wipes, and botnet/ransomware deployment.
CISA added the "Copy Fail" Linux kernel privilege escalation (CVE-2026-31431) to its KEV catalog, noting 100% reliable exploitation and container escape capabilities.
Sophisticated cybercrime groups are leveraging AI-powered vishing for SSO credential theft and multi-factor authentication bypass, alongside continued supply chain attacks via popular package managers.

Intelligence briefing: Why this matters: IT and military professionals face an immediate need to patch critical infrastructure, harden Linux systems, and implement robust defenses against advanced social engineering and supply chain compromises.

This week, the shadows moved faster than the patches.

While most teams were still triaging last month’s alerts, attackers had already turned control panels into kill switches, kernels into open doors, and open-source pipelines into silent delivery systems.

The game has shifted from breach to occupation. They’re living inside SaaS sessions, pushing code with trusted commits, and scaling operations like legitimate businesses — except their product is chaos. And the underground is getting uncomfortably professional.

Here’s the full weekly cybersecurity recap:

⚡ Threat of the Week

cPanel Flaw Comes Under Attack—A critical flaw in cPanel and WebHost Manager (WHM) has come under active exploitation in the wild. The vulnerability, tracked as CVE-2026-41940, could result in an authentication bypass and allow remote attackers to gain elevated control of the control panel. In some cases, the attacks have led to a complete wipe of entire websites and backups. Other attacks have deployed Mirai botnet variants and a ransomware strain called Sorry.

Is Your Security Program Built on Compliance Theater or Measurable Maturity?

If you can't measure your program's maturity, you can't improve it or defend its budget. The SANS Security Awareness & Culture Maturity Model™️ maps 5 stages of security culture development with concrete indicators, behavioral targets, and alignment to business risk priorities.

Download Now — Free ➝

🔔 Top News

Cybercrime Groups Use Vishing for Data Theft and Extortion—Two cybercrime groups tracked as Cordial Spider and Snarky Spider are carrying out "rapid, high-impact attacks" operating almost within the confines of SaaS environments, while leaving minimal traces of their actions. The groups employ voice calls, text messages, and emails, directing targeted employees to phishing pages masquerading as their employer's legitimate single sign-on (SSO) page to capture credentials and provide attackers an entry point into systems, which they exploit for deeper access to victims' SaaS environments. The attacks also use the initial access hooks to remove and set up multi-factor authentication devices under their control and delete emails that would otherwise alert organizations of potential malicious activity. According to CrowdStrike, "These actors use vishing to bypass MFA and move laterally across entire SaaS ecosystems with a single authenticated session, masking their tracks through residential proxy networks to blend in as legitimate home user traffic. This is part of a larger trend of English-speaking ransomware crews that share similar playbooks but are branching off into their own distinct groups."

Copy Fail Linux Flaw Exploited—The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-31431, a vulnerability impacting various Linux distributions, to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild. It's described as a logic bug in the Linux kernel's authentication cryptographic template that allows an attacker to reliably trigger privilege escalation trivially by means of a 732-byte Python-based exploit. According to Theori and Xint, CVE-2026-31431 was the result of a series of unremarkable updates to the Linux kernel over the years, particularly one update from 2017 that was meant to speed up data encryption. As a result, all major Linux distributions from 2017 are impacted. What complicates matters is that Copy Fail works 100% of the time, unlike most local privilege escalation (LPE) bugs that tend to be probabilistic in nature. More worryingly, it leaves no traces on disk as exploitation occurs in memory and enables container escape from any pod in a Kubernetes cluster.

TeamPCP's Supply Chain Attack Spree Continues—TeamPCP's extensive supply chain campaign continued last week, as the cybercriminal group compromised several packages across the npm, PyPI, and Packagist ecosystems in a "Mini Shai Hulud" attack. TeamPCP has in recent months compromised the packages of several open source software projects, including Trivy, a security scanner maintained by Aqua Security, and KICS, a Checkmarx-developed tool for static code analysis. Amit Genkin, threat researcher at Upwind, said the latest string of attacks represents a shift, where they are not only more frequent but harder to detect because they weaponize legitimate CI/CD pipelines to push out poisoned versions under real identities, allowing the activity to blend in with normal development workflows. "Campaigns like Shai-Hulud take that further by using each compromised pipeline to spread to the , turning credential theft into a scaling problem across environments," Genkin said. "For teams, the immediate priority is to check for the affected version and rotate any credentials tied to pipelines that may have run it, especially GitHub and cloud tokens. Longer term, this is a signal to reduce how broadly pipeline credentials are scoped and to add visibility into what's actually happening during installs and builds – because if you're relying on traditional scanning or known indicators, this type of activity is easy to miss."

New Python Backdoor Enables Comprehensive Data Theft—A newly identified stealthy Python-based backdoor framework dubbed DEEP#DOOR provides attackers with persistent remote command execution and surveillance capabilities on Windows computers. Once active, the backdoor enables shell command execution, file manipulation, system and network reconnaissance, and surveillance operations such as keylogging, clipboard monitoring, screenshot capture, microphone and webcam access, and credentials and SSH key harvesting. Additionally, the malware can shift from data gathering to disruption and system manipulation, as it can overwrite the Master Boot Record, force system crashes, exhaust system resources by spawning numerous processes, and disable Microsoft Defender services.

GitHub Flaw Leads to Remote Code Execution—Cybersecurity researchers from Wiz disclosed details of a critical security vulnerability impacting GitHub.com and GitHub Enterprise Server (CVE-2026-3854, CVSS score: 8.7) that could allow an authenticated user to obtain remote code execution with a single "git push" command. The vulnerability was severe enough that Microsoft rolled out a patch within six days of responsible disclosure. On GitHub.com, it allowed remote code execution on shared storage nodes, and on GitHub Enterprise Server, it granted full server compromise, enabling unauthorized access to all hosted repositories and internal secrets. "Exploitation could expose the codebases of nearly all of the world's biggest enterprises, making this one of the most severe SaaS vulnerabilities ever found," a Wiz spokesperson told The Hacker News.

VECT 2.0 Ransomware's Flawed Encryption Makes Data Recovery Impossible—VECT 2.0 ransomware has been found to wipe large files instead of merely encrypting them, making recovery impossible, even for the attackers. VECT 2.0 is a ransomware-as-a-service (RaaS) program that first appeared in December 2025. The group quickly grabbed headlines after it announced on BreachForums that it was partnering with TeamPCP, the threat group behind several supply chain attacks, such as Trivy, Checkmarx KICS, LiteLLM, and Telnyx, in March and April 2026. VECT also announced a partnership with BreachForums itself, promising that every registered forum user will become an affiliate and be granted use of the ransomware, negotiation platform, and leak site for operations. Beazley Security, in an analysis of the ransomware, said the VECT 2.0 RaaS panel covers the "full operational lifecycle an affiliate needs from payload generation through to payout."

🔥 Trending CVEs

Bugs drop weekly, and the gap between a patch and an exploit is shrinking fast. These are the heavy hitters for the week: high-severity, widely used, or already being poked at in the wild.

Check the list, patch what you have, and hit the ones

Analysis

The increasing sophistication of cyber adversaries, demonstrated by their ability to exploit zero-days and move laterally within SaaS environments, signals a critical shift from opportunistic breaches to persistent occupation. The professionalism of these groups, coupled with the rapid weaponization of newly discovered flaws, demands a proactive and adaptive security posture beyond mere compliance. Organizations must prioritize measurable security maturity to defend against highly targeted attacks that leave minimal traces.

cybersecuritylinux exploitcpanel vulnerabilitysupply chain attackai phishingcisazero-day

📰 Primary Source: Thehackernews