Active Exploits Across cPanel, Linux Kernel, and GitHub Signal Coordinated Offensive

TL;DR — CVE-2026-41940 in cPanel/WHM is under active exploitation with attacks wiping websites and deploying ransomware. CVE-2026-31431, a Linux kernel flaw, enables reliable privilege escalation and container escape on all major distributions from 2017 onwards. CVE-2026-3854 on GitHub allows authenticated remote code execution in a single git push. Supply chain attacks via compromised packages and ransomware partnerships are accelerating.

What happened

This week consolidated a series of overlapping attack campaigns affecting critical infrastructure layers. Three distinct threat vectors emerged:

cPanel control panel compromise. CVE-2026-41940, a critical authentication bypass in cPanel and WebHost Manager, entered active exploitation. Attackers gained elevated control of hosting panels, leading in documented cases to complete deletion of websites and backups. Some intrusions deployed Mirai botnet variants and the Sorry ransomware strain, converting compromised infrastructure into attack staging points.

Linux kernel logic bug. CVE-2026-31431, affecting all major Linux distributions from 2017 onwards, is a logic flaw in the kernel's authentication cryptographic template. The vulnerability can be reliably exploited via a 732-byte Python script with 100% success rate — a departure from the probabilistic nature of typical privilege escalation bugs. Exploitation occurs entirely in memory, leaving no disk traces, and enables escape from any Kubernetes pod. The U.S. CISA added the vulnerability to its Known Exploited Vulnerabilities catalog citing evidence of active exploitation in the wild.

GitHub remote code execution. CVE-2026-3854 (CVSS 8.7) allows authenticated users to execute remote code with a single git push command. On GitHub.com, it affected shared storage nodes. On GitHub Enterprise Server, exploitation granted full server compromise, permitting unauthorized access to all repositories and internal secrets. Microsoft patched the vulnerability within six days of responsible disclosure by Wiz researchers.

Supply chain escalation. The threat group TeamPCP continued compromising packages across npm, PyPI, and Packagist. Recent incidents included Trivy (Aqua Security's security scanner) and KICS (Checkmarx's static analysis tool). Attackers weaponized legitimate CI/CD pipelines to distribute poisoned versions under authentic identities, allowing malicious activity to blend with normal development workflows.

SaaS credential theft via voice. Two groups, Cordial Spider and Snarky Spider, orchestrated vishing campaigns targeting SaaS environments. Attackers directed employees via voice calls, text messages, and emails to phishing pages mimicking employer SSO pages, captured credentials, then removed legitimate MFA devices and configured attacker-controlled replacements. They deleted email alerts to obscure intrusions and used residential proxy networks to mask lateral movement.

New backdoor framework. DEEP#DOOR, a Python-based backdoor, provides persistent remote access with capabilities including keylogging, clipboard monitoring, screenshot capture, microphone and webcam access, SSH key harvesting, Master Boot Record overwriting, process spawning to exhaust resources, and Microsoft Defender disablement.

Ransomware partnership model. VECT 2.0, a ransomware-as-a-service program that first appeared in December 2025, announced partnerships with TeamPCP (March–April 2026) and BreachForums itself. Rather than encrypting large files, VECT 2.0 wipes them, making recovery impossible even by the attackers. VECT's RaaS panel covers the full lifecycle from payload generation through payout distribution.

Why it matters

These incidents expose a unified attack surface spanning hosting infrastructure, kernel privileges, code repositories, and supply chains. The velocity and coordination suggest threat actors now operate with sustained infrastructure and operational discipline.

For developers: CVE-2026-3854 directly threatens codebases. Compromised pipelines (via TeamPCP and supply chain attacks) inject malware into build artifacts at distribution time, bypassing traditional repository scanning. The attack model assumes initial authentication — a credential obtained via the vishing campaigns now active against SaaS.

For system administrators: CVE-2026-31431 is particularly severe because it bypasses container isolation. A single pod compromise cascades to cluster-wide privilege escalation. cPanel administrators hosting customer sites face wholesale data destruction. Kubernetes operators are defenseless without kernel patching.

For SOC analysts: These attacks leave minimal forensic traces. CVE-2026-31431 exploits only in memory. Vishing campaigns mask lateral movement through residential proxies. Supply chain poisoning hides inside legitimate CI/CD logs. Detection requires behavioral anomalies (suspicious MFA changes, unusual pipeline executions, unexpected process spawning) rather than signature-based methods.

Affected systems and CVEs

cPanel / WebHost Manager — CVE-2026-41940 (critical, authentication bypass, active exploitation)
Linux kernel (all major distributions from 2017 onwards) — CVE-2026-31431 (privilege escalation, container escape, 100% reliable)
GitHub.com / GitHub Enterprise Server — CVE-2026-3854 (CVSS 8.7, remote code execution via authenticated git push)
npm, PyPI, Packagist — supply chain poisoning (specific CVE assignments not noted in source)
Open source projects — Trivy, KICS, LiteLLM, Telnyx (compromised by TeamPCP; CVE assignments not specified)

What to do

Patch CVE-2026-41940 immediately on all cPanel and WHM instances. Verify website and backup integrity post-exploitation.
Apply kernel patches for CVE-2026-31431 across all Linux distributions. Prioritize systems running Kubernetes.
Patch CVE-2026-3854 on GitHub.com instances and all GitHub Enterprise Server deployments within six days of release (patch window already closed for initial disclosure; check Microsoft release schedules).
Audit and rotate credentials tied to pipelines, especially GitHub tokens and cloud provider credentials. Reduce scope of pipeline credentials to least-privilege access. Check for affected package versions (Trivy, KICS, LiteLLM, Telnyx) and rotate any credentials that may have been exposed.
Add visibility into CI/CD install and build processes. Monitor for suspicious pipeline executions and unexpected package version changes.
Implement MFA using hardware security keys resistant to vishing attacks. Audit MFA device enrollment logs for unauthorized additions.
Monitor for deletion or modification of email alerts, particularly those tied to authentication or infrastructure changes.
Review logs for lateral movement patterns matching residential proxy IP ranges and authenticated session anomalies in SaaS environments.

Open questions

Which specific organizations or sectors are targeted by Cordial Spider and Snarky Spider vishing campaigns?
How many cPanel instances have been actively exploited by CVE-2026-41940, and which hosting providers are most affected?
Which maintainers of compromised packages (Trivy, KICS, LiteLLM, Telnyx) had credentials stolen, and what is the scope of each compromise?
How widespread is DEEP#DOOR distribution, and which delivery vectors are primary?
How many GitHub repositories and enterprise instances were successfully compromised via CVE-2026-3854 before patching?
Which organizations have fallen victim to VECT 2.0 ransomware, and what is the financial impact of data loss (as opposed to encryption)?
Beyond the 2017 baseline, which specific Linux distributions and kernel versions are confirmed vulnerable to CVE-2026-31431?