Cyber Threat Brief — May 2 2026
⚠️ This report is AI-generated. Always validate findings.
1. cPanel & WHM Authentication Bypass — CVE-2026-41940
TL;DR: CRLF injection in cPanel’s session file handling gives unauthenticated attackers full root access, bypassing password and 2FA. Actively exploited since at least February 2026; 1.5M instances exposed per Rapid7/Shodan.
What’s New:
- CVSS 9.8 — unauthenticated, no user interaction, low complexity
- Attacker injects
\r\nuser=rootinto Basic Auth password field; cpsrvd writes poisoned session to/var/cpanel/sessions/raw/before validation - Injected keys (
user=root,hasroot=1,tfa_verified=1) promote session to authenticated root, bypassing both password and 2FA - Exploited in the wild since ~February 23 2026 (pre-disclosure); CISA confirmed active exploitation April 30
- Cloudflare shipped emergency WAF rule April 30; Hadrian released Nuclei template for validation
- Patched in cPanel 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, 11.136.0.5
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
Session files in /var/cpanel/sessions/raw/ with \r\n in pass= value | Exploitation artifact | T1078.001 | Filesystem / FIM | Run cPanel vendor detection script; search for CRLF bytes in session files |
Authorization: Basic header with \r\n sequences | Exploit payload | T1190 | cPanel access logs / WAF | Alert on CRLF in Basic Auth headers to ports 2082-2087 |
| New root-level sessions from IPs without prior successful auth | Post-exploitation | T1078.001 | /var/cpanel/sessions/raw/, /usr/local/cpanel/logs/access_log | Correlate session creation with auth failure logs |
cp_security_token in session file not matching legitimate token generation | Session forgery | T1134 | Filesystem | Audit session files for injected cp_security_token values |
| Outbound connections from cPanel server post-compromise | C2/exfil | T1071.001 | Firewall / netflow | Baseline and alert on anomalous outbound from hosting panels |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | No cPanel-specific rule; need custom search for CRLF in session files and anomalous root session creation |
| Elastic | None | No coverage; write rule for authentication bypass indicators in cPanel logs |
| Sigma | None | No community rule yet; create rule for suspicious session file writes with embedded CRLF |
Sources: Rapid7 ETR, Hadrian Analysis, watchTowr Labs, CyberScoop, Picus
2. PyTorch Lightning Supply Chain Compromise — Shai-Hulud Expansion
TL;DR: Malicious lightning versions 2.6.2 and 2.6.3 published to PyPI on April 30 steal developer credentials and plant persistence hooks in Claude Code and VS Code. Same TeamPCP actor behind the Bitwarden/Trivy/Telnyx supply chain campaigns.
What’s New:
- Malicious versions 2.6.2 and 2.6.3 pushed April 30 2026; version 2.6.1 is clean
- Hidden
_runtimedirectory contains downloader + obfuscated JS payload; executes onimport lightning - Plants
SessionStarthook withmatcher: "*"into Claude Code settings pointing tonode .vscode/setup.mjs - Targets: GitHub tokens, npm tokens, SSH keys, cloud credentials (AWS/GCP/Azure), Kubernetes configs, Vault tokens, Docker creds,
.envfiles - Same Dune-themed naming convention as prior Shai-Hulud campaigns; commit prefix
EveryBoiWeBuildIsAWormyBoi - Linked to TeamPCP actor (Bitwarden CLI, Trivy, litellm, telnyx compromises)
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
lightning==2.6.2 or lightning==2.6.3 in pip freeze / requirements | Malicious package | T1195.002 | Package manager logs / SCA tools | Remove immediately; pin to 2.6.1 |
_runtime/ directory inside lightning package | Payload staging | T1059.007 | FIM / filesystem audit | Search Python site-packages for _runtime dirs |
.vscode/setup.mjs created in repos | Persistence payload | T1546 | Sysmon EventID 11 / FIM | Alert on setup.mjs creation in .vscode directories |
Claude Code SessionStart hook with matcher: "*" | AI tool persistence | T1546 | Claude Code config (settings.json) | Audit Claude Code hooks for unauthorized entries |
Outbound exfil of .env, SSH keys, cloud creds | Credential theft | T1552.001 | EDR / DLP / netflow | Monitor for bulk reads of credential files followed by outbound connections |
Commit messages containing EveryBoiWeBuildIsAWormyBoi | Campaign indicator | T1195.002 | GitHub audit logs | Search org repos for Dune-themed commit prefixes |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | No PyPI supply chain rule; need custom search for suspicious node execution from .vscode paths |
| Elastic | None | No coverage for AI tool persistence hooks |
| Sigma | None | No community rule; create rule for setup.mjs execution from .vscode and unauthorized Claude Code hook modifications |
Sources: The Hacker News, Semgrep, Socket, Ox Security
Status Updates
- CVE-2026-31431 (Linux Kernel — Copy Fail): AlmaLinux and Ubuntu patches released May 1; Microsoft published cloud impact analysis. Community detection packages (Sigma, Falco, auditd, KQL, EQL) now available. Original brief.
- CVE-2026-32202 (Windows Shell — APT28 NTLM coercion): Federal FCEB deadline May 12. No new IOCs. Original brief.
- CVE-2024-1708 (ConnectWise ScreenConnect): Federal FCEB deadline May 12. Storm-1175/Medusa campaigns ongoing. Original brief.