The cybersecurity landscape is rapidly evolving, with threat actors demonstrating an unprecedented pace in exploiting vulnerabilities and adopting sophisticated tactics. This week’s recap highlights a critical flaw in cPanel and WebHost Manager (WHM) that has become a prime target for attackers, leading to widespread website compromises and data theft. This ongoing trend underscores the escalating sophistication of cybercrime, where the shift is from mere breaches to persistent occupation of systems.
cPanel Vulnerability Actively Exploited, Leading to Widespread Damage
A critical vulnerability, identified as CVE-2026-41940, within the widely used cPanel and WebHost Manager (WHM) control panels is currently being actively exploited in the wild. This authentication bypass flaw allows remote attackers to gain elevated privileges, potentially leading to complete control over affected systems. Reports indicate that attacks have resulted in the complete wiping of entire websites and their backups. Furthermore, some compromised servers have been used to deploy variants of the Mirai botnet and a ransomware strain known as Sorry. The swift exploitation of this vulnerability highlights the growing challenge organizations face in keeping pace with emerging threats.
Cybercrime Groups Embrace Vishing for Enhanced Data Theft and Extortion
Two distinct cybercrime groups, designated as Cordial Spider and Snarky Spider, are executing high-impact attacks with remarkable speed, largely operating within Software as a Service (SaaS) environments. These groups employ vishing (voice phishing), alongside SMS and email lures, to trick targeted employees into visiting fake single sign-on (SSO) pages that mimic legitimate company portals. This method allows them to capture credentials, gaining an initial foothold for deeper system access. CrowdStrike reports that these attackers are adept at bypassing multi-factor authentication (MFA) by taking control of the MFA devices themselves and subsequently removing any alert emails, effectively masking their tracks through residential proxy networks to blend in with normal user traffic. This represents a concerning trend of English-speaking ransomware crews developing distinct, yet often similar, operational playbooks.
Linux Kernel Vulnerability “Copy Fail” Added to CISA’s Known Exploited Vulnerabilities Catalog
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-31431, a critical vulnerability impacting various Linux distributions, to its Known Exploited Vulnerabilities (KEV) catalog due to evidence of active exploitation. Dubbed “Copy Fail,” this logic bug in the Linux kernel’s authentication cryptographic template allows for trivial privilege escalation through a Python-based exploit. Researchers from Theori and Xint attribute the vulnerability to updates intended to improve data encryption speed, dating back to 2017, thus affecting all major Linux distributions released since that time. Notably, Copy Fail is reported to work with 100% reliability, a rarity for local privilege escalation (LPE) bugs, and it leaves no disk traces as exploitation occurs in memory, even enabling container escapes within Kubernetes clusters.
TeamPCP Continues Supply Chain Attack Campaign with Focus on Open-Source Ecosystems
The extensive supply chain attack campaign orchestrated by the cybercriminal group TeamPCP has continued with the compromise of several packages across the npm, PyPI, and Packagist ecosystems. This “Mini Shai Hulud” attack follows TeamPCP’s recent compromises of prominent open-source projects like Trivy and KICS. Threat researcher Amit Genkin notes a shift in TeamPCP’s tactics, characterized by increased frequency and reduced detectability by weaponizing legitimate CI/CD pipelines to push malicious code under authentic identities. This method allows the compromised activity to seamlessly blend with normal development workflows. The strategy of using compromised pipelines to spread across environments further escalates the impact of credential theft. Organizations are advised to immediately check for affected versions and rotate any credentials associated with potentially compromised pipelines, such as GitHub and cloud tokens. In the long term, this situation emphasizes the need to reduce the scope of pipeline credentials and enhance visibility into installation and build processes.
New Python Backdoor Framework “DEEP#DOOR” Enables Comprehensive Windows Data Theft
A newly identified stealthy Python-based backdoor framework, named DEEP#DOOR, offers attackers persistent remote command execution and surveillance capabilities on Windows systems. Once established, the malware allows for shell command execution, file manipulation, and system and network reconnaissance. Its surveillance features include keylogging, clipboard monitoring, screenshot capture, microphone and webcam access, and the harvesting of credentials and SSH keys. Beyond data gathering, DEEP#DOOR can also disrupt systems by overwriting the Master Boot Record, causing system crashes, exhausting system resources, and disabling Microsoft Defender services, demonstrating a comprehensive threat to Windows environments.
GitHub Vulnerability Could Lead to Remote Code Execution
Cybersecurity researchers from Wiz have detailed a critical security vulnerability (CVE-2026-3854) affecting both GitHub.com and GitHub Enterprise Server. This flaw, with a CVSS score of 8.7, could permit an authenticated user to achieve remote code execution with a single “git push” command. Microsoft released a patch within six days of disclosure. On GitHub.com, the vulnerability allowed for remote code execution on shared storage nodes, while on GitHub Enterprise Server, it could lead to a full server compromise, granting attackers unauthorized access to all hosted repositories and internal secrets. Wiz described the exploitability as severe enough to potentially expose the codebases of a significant portion of the world’s largest enterprises.
VECT 2.0 Ransomware’s Flawed Encryption Prevents Data Recovery
The VECT 2.0 ransomware variant has been observed to permanently wipe large files instead of encrypting them, rendering data recovery impossible even for the attackers. This ransomware-as-a-service (RaaS) program, which emerged in December 2025, quickly garnered attention for its partnerships with TeamPCP and BreachForums. Beazley Security’s analysis indicates that the VECT 2.0 RaaS panel provides affiliates with comprehensive tools for payload generation, negotiation, and leaking stolen data. The partnership with BreachForums promised widespread access to the ransomware and its associated platforms for registered forum users.
Trending CVEs Indicate Rapid Exploitation of High-Severity Flaws
The cybersecurity world continues to see a shrinking gap between vulnerability discovery and active exploitation. This week’s trending Common Vulnerabilities and Exposures (CVEs) include several high-severity flaws affecting widely used software. Notably, CVE-2026-41940 (cPanel and WebHost Manager) and CVE-2026-31431, known as Copy Fail (Linux Kernel), have seen significant exploitation. Other notable vulnerabilities include CVE-2026-3854 (GitHub.com and GitHub Enterprise Server), CVE-2026-32202 (Microsoft Windows Shell), and multiple vulnerabilities affecting OpenSSH, Mozilla Firefox, and various open-source projects. Organizations are strongly advised to prioritize patching these critical vulnerabilities to mitigate the risk of compromise.
Conclusion
The accelerating pace of cyberattacks necessitates a proactive and vigilant security posture. Organizations must prioritize patching known vulnerabilities, diligently verifying the integrity of their supply chains, and implementing stringent access controls for SaaS applications. Treating every routine login and pipeline execution as potentially hostile can help prevent significant future disruptions. Continuous adaptation and attention to emerging threats are crucial for maintaining robust defenses in the face of evolving cyber threats.