Threat Intel Bi-Weekly

Pre-authentication authentication bypass in cPanel & WHM (all versions after 11.40) and WP Squared. Attacker chains a CRLF injection via malformed Basic-Auth credentials with a session-file race condition to inject arbitrary session fields including user=root — gaining full WHM administrative access without valid credentials. Zero-day exploitation confirmed since approximately February 23, 2026 (two months before the patch). CISA added to KEV May 1. Shadowserver reports 44K unique IPs actively scanning/exploiting honeypots. Rapid7 identifies ~1.5M internet-exposed cPanel instances. At least one small business confirmed ransomware deployment post-exploitation ($7,000 demand). PoC published by watchTowr.

Local privilege escalation in the Linux kernel's algif_aead crypto module (CVSS 7.8). A logic flaw in the AF_ALG socket interface chained with splice() allows any unprivileged local user to perform a controlled 4-byte write to any page-cache-backed file, enabling corruption of setuid binaries (e.g. /usr/bin/su) to obtain a root shell. Deterministic — no race condition required. 732-byte Python exploit works unmodified across Ubuntu, RHEL, Amazon Linux 2023, SUSE, Debian, Fedora, and Arch — every build since 2017. Critical amplifier: the page cache is shared across containers, meaning a single compromised container can corrupt host binaries and escape to affect all co-tenants. Disclosed April 29; patches rolling out May 1–2.

Critical unauthenticated SQL injection in LiteLLM Proxy (versions 1.81.16–1.83.6). Bearer token is concatenated directly into a SQL query without parameterization, allowing any unauthenticated attacker to extract the full credentials database including OpenAI org keys, Anthropic workspace admin keys, and AWS Bedrock IAM credentials. Blast radius is equivalent to full cloud account compromise across all connected LLM providers. Exploited within 36 hours of advisory publication (April 26, 16:17 UTC) with no public PoC available. This is LiteLLM's second targeted attack in six weeks following the March 2026 TeamPCP supply chain campaign.

Bitwarden CLI npm package @bitwarden/cli@2026.4.0 was backdoored for 93 minutes (April 22, 17:57–19:30 ET) via a compromised GitHub Action (checkmarx/ast-github-action) as part of the ongoing Checkmarx/TeamPCP supply chain campaign. Malicious payload in bw1.js: credential stealer targeting developer secrets, GitHub Actions environments, and AI coding tool configs (Claude, Cursor, Codex CLI, Kiro, Aider). Data exfiltrated AES-256-GCM encrypted to audit.checkmarx[.]cx. If a GitHub token was stolen: malware injects malicious Actions workflows into all reachable repos and extracts all CI/CD secrets — enabling persistent supply chain pivot. Campaign string 'Shai-Hulud: The Third Coming' confirms this is the third phase of the TeamPCP campaign (previously hit Trivy, LiteLLM, KICS, Checkmarx, now Bitwarden).

As noted in Area 1, CVE-2026-42208 is specifically significant as an AI infrastructure attack. LiteLLM serves as a credential aggregator for multiple AI providers — a single successful SQL injection yields simultaneous access to all connected AI accounts. This marks the second LiteLLM attack in six weeks, confirming AI infrastructure has become a deliberate high-value target. Pattern mirrors LMDeploy SSRF (exploited in 12h) and Marimo RCE (exploited in 10h) — AI tools are being monitored and weaponized within hours of advisory publication with no PoC needed.

Two patched-but-widely-unpatched Claude Code vulnerabilities represent an ongoing developer workstation risk. CVE-2026-25723: piped sed/echo command chains bypass file-write sandbox, enabling writes to .claude and paths outside project scope without user confirmation. CVE-2026-33068: malicious .claude/settings.json with permissions.defaultMode: bypassPermissions silently skips workspace trust dialog — no user interaction required beyond opening the project. Both are chainable with the previously reported 50-subcommand deny-rule bypass for full sandbox escape from a single malicious repository.

The TeamPCP supply chain threat group has executed a third campaign phase ('Shai-Hulud: The Third Coming'): after compromising Trivy (Feb), LiteLLM and KICS (March), and Checkmarx Actions (April), the group has now compromised Bitwarden CLI via the already-poisoned checkmarx/ast-github-action. The campaign specifically targets AI coding tool configurations (Claude, Cursor, Codex CLI, Kiro, Aider) in addition to traditional developer secrets. TeamPCP has partnered with Lapsus$ and Vect for post-access ransomware and extortion. Indicators: malicious exfil domain audit.checkmarx[.]cx (note: impersonating legitimate Checkmarx domain). TTPs: GitHub Actions workflow injection, npm package poisoning, credential theft via install-time payload, persistent workflow backdoors.

Cyfirma and Unit 42 confirm the Scattered Lapsus$ Hunters collective has re-emerged with a more structured operational model: defined role tiers (social engineering, intrusion, credential broker, insider recruiter, data amplifier), active commission structures (25% for AD-joined systems, 10% for Okta/Azure/AWS IAM root credentials), and confirmed partnership with ShinyHunters and Lapsus$ on a joint RaaS platform called ShinySp1d3r. Target focus: enterprises >$500M revenue, telecoms, cloud/hosting providers, SaaS supply chains, CI/CD environments. Primary entry vector remains vishing and insider recruitment. Recent victims include aviation, energy, and retail sectors. The group explicitly targets developer tooling and credential aggregators to maximize blast radius.

Multiple hosting providers confirmed CVE-2026-41940 was actively exploited before the April 28 patch — KnownHost tracked active exploitation from as early as February 23, 2026. Namecheap temporarily blocked all cPanel/WHM access. At least one confirmed ransomware deployment post-exploitation. Shadowserver reports 44K IPs actively scanning/exploiting honeypots; approximately 650K exposed cPanel/WHM instances visible on the internet. Customers of shared hosting providers on unpatched cPanel infrastructure may have had their websites, email, and databases accessed without their knowledge during the two-month zero-day window.

The ongoing Checkmarx/TeamPCP campaign has now affected Trivy, LiteLLM, KICS, Bitwarden CLI, two Open VSX plugins, and two Checkmarx GitHub Actions. Over 10M Bitwarden users and 50K businesses could have had their CLI tooling tainted. For any developer whose CI/CD pipeline auto-updated Bitwarden CLI during the 93-minute exposure window: all secrets in that environment should be treated as compromised, including cloud credentials, GitHub tokens, SSH keys, and downstream repository access. The exfiltration domain (audit.checkmarx[.]cx) is a convincing impersonation of the legitimate Checkmarx audit service.

Critical unauthenticated SQL injection (CVSS 9.3) in LiteLLM Proxy's API key verification path. The Bearer token from incoming HTTP requests is concatenated directly into a SQL query without parameterization, allowing a remote unauthenticated attacker to extract all stored API keys and LLM provider credentials. LiteLLM aggregates credentials for OpenAI, Anthropic, AWS Bedrock, Azure OpenAI, and dozens of other providers in one database — a successful extraction is equivalent to a full cloud account compromise across all connected providers. Exploited within 36 hours of advisory publication (first probe observed April 26 at 16:17 UTC, IP 65.111.27.132) with no public proof-of-concept available. Attackers targeted litellm_credentials.credential_values and litellm_config tables holding upstream LLM provider keys. This is the second LiteLLM attack in six weeks following the March 2026 TeamPCP supply chain campaign.

Claude Code failed to properly validate commands using piped sed and echo operations, allowing attackers to bypass file-write restrictions. Exploiting piped command chaining (sed | echo), attackers could write to sensitive directories including .claude and paths outside the project scope — without triggering user confirmation. Requires ability to inject commands through Claude Code with accept-edits mode enabled (e.g., via malicious repository content or prompt injection). Part of a three-CVE cluster (with CVE-2026-33068 and the 50-subcommand bypass) that collectively undermines Claude Code's sandbox model.

Claude Code resolved permission modes from repository-controlled .claude/settings.json files before determining whether to display the workspace trust confirmation dialog. A malicious repository sets permissions.defaultMode to bypassPermissions in its committed .claude/settings.json. When the victim opens the project, the trust dialog is silently skipped and Claude Code enters a fully permissive mode — granting tool execution without any explicit user consent. Chained with other Claude Code CVEs (CVE-2026-25723, the 50-subcommand deny-rule bypass) to achieve full sandbox escape.

The EU AI Act's high-risk system obligations take full effect in 90 days. Organizations operating AI systems in the EU must have completed: conformity assessments, data governance documentation, human oversight mechanisms, technical robustness documentation, and registration in EU AI databases. Article 50 transparency obligations (AI disclosure to users, deepfake labeling) activate simultaneously. Cyber insurance carriers are now requiring documented AI security controls including red-teaming, model-level risk assessments, and AI risk management frameworks as a condition of coverage. Organizations without these in place risk both regulatory fines (up to 7% of global annual turnover) and coverage denial.

Anthropic's red team published results showing Claude chaining four zero-days into a single exploit that bypasses both the Chromium renderer and OS sandbox — demonstrating AI agents can now independently develop functional multi-stage exploits from a crashing test case, without human guidance on primitives. Separately, Bugcrowd noted that CVE-2026-31431 (Copy Fail) was surfaced by Xint Code using AI-assisted kernel scanning in about an hour with a single operator prompt. These developments indicate that the floor for producing working kernel and browser exploits has dropped significantly — the time window between CVE disclosure and weaponized exploit is compressing further.