cPanel controls millions of web servers and has a critical auth bypass with a 48-hour federal deadline.  ·  CYBERSIP.NET  ·  ISSUE 19
CYBERSIPTM
Daily Cyber Brief  ·  Intelligence Without the Noise
Issue No. 19 May 1, 2026 cybersip.net
Issue No. 19  ·  May 1, 2026  ·  3 active items  ·  Under 5 min read
Today's picture
cPanel and WHM, the web hosting control panel running on millions of servers globally, received a critical authentication bypass in KEV yesterday with a federal remediation deadline of May 3. Two days. That urgency reflects confirmed active exploitation of a flaw that gives any unauthenticated attacker full control panel access. Meanwhile the TeamPCP supply chain campaign that backdoored SAP npm packages yesterday expanded overnight into PyPI. Two malicious versions of PyTorch Lightning were published and quarantined within hours, but not before reaching a significant number of installations. And a newly disclosed Linux privilege escalation called Copy Fail lets any local user on a major distribution escalate to root with a four-byte write.
Threat snapshot
3 new · 2 monitoring
New KEV Listed 48hr Deadline
🖥 cPanel authentication bypass in KEV. Federal deadline May 3. Millions of web servers at risk.
CVE-2026-41940. Unauthenticated login flow bypass gives full control panel access. All supported cPanel and WHM versions affected. Patch now. No workaround available.
New Supply Chain
📦 Mini Shai-Hulud extends to PyPI. PyTorch Lightning backdoored overnight. Same campaign, new platform.
Versions 2.6.2 and 2.6.3 published April 30. Quarantined by PyPI administrators. 31,100-star project. Same TeamPCP credential stealer. PyPI now in scope alongside npm.
New Linux CVSS 7.8
🐧 Copy Fail CVE-2026-31431. Any local Linux user can escalate to root on major distributions.
Four-byte write into page cache files achieves root. Affects Ubuntu, Debian, Fedora, RHEL. Exploit code public. Patches available. Containers and shared infrastructure particularly exposed.
Detailed intelligence
Full analysis
01 New KEV Listed Federal Deadline May 3
cPanel authentication bypass in KEV with a 48-hour federal deadline. Millions of web servers at risk.
CVE-2026-41940
What happened
CISA added CVE-2026-41940 to the Known Exploited Vulnerabilities catalog on April 30 with a federal remediation deadline of May 3. The vulnerability is a missing authentication flaw in the login flow of cPanel and WHM (WebHost Manager) as well as WP2 (WordPress Squared). cPanel and WHM is the de facto standard web hosting control panel, running on millions of shared hosting servers globally across hosting providers, managed WordPress environments, and self-managed web infrastructure. The flaw allows an unauthenticated remote attacker to bypass the login flow and gain unauthorized access to the control panel without providing valid credentials. From the control panel an attacker has access to file management, email account administration, database access, DNS configuration, and in WHM deployments, the ability to create and modify accounts across the entire server. WebPros, the company behind cPanel, released a security update on April 28 addressing the vulnerability. The two-day federal deadline signals that CISA has confirmed active exploitation is underway. No workaround is available for unpatched systems.
🌐
EXECUTIVE IMPACT  ·  cPanel gives an attacker everything on the server. Files, databases, email, DNS, SSL certificates, and in WHM deployments the ability to create new hosting accounts. Any organization or hosting provider running cPanel is running exploitable infrastructure right now if they have not applied the April 28 update. This is not a targeted threat. Automated scanning for unpatched cPanel instances is already underway.
DON'T MISS  ·  The May 3 deadline is a Sunday. Federal agencies are being told to patch production web server control panels before the weekend ends. That scheduling detail is worth noting for any organization running web infrastructure. If your web servers are on shared or managed hosting using cPanel, the patch urgency belongs with your hosting provider, not your internal team. Ask your provider today whether they have applied the April 28 update and whether your instances are already protected. Do not assume a managed hosting environment means you are automatically patched.
CyberSip Take
cPanel is different from most of the vulnerabilities in this brief because of who manages it. Enterprise security teams typically have full visibility and control over their servers. Organizations using managed hosting or shared hosting providers do not. They depend entirely on their hosting provider's patch cadence, which is not always rapid. A critical authentication bypass in cPanel is not a theoretical risk for those environments. It is an active threat that requires a vendor response conversation, not an internal patch job. The broader question worth asking today is whether your organization has a documented process for following up on critical vulnerabilities in infrastructure managed by third parties. This situation comes up repeatedly across April's brief: Vercel, Medtronic, SAP packages, cPanel. The answer each time is the same: you are responsible for understanding your exposure, even when someone else manages the platform.
Recommended actions
Derived from CISA known-exploited vulnerability catalog and WebPros security advisory
02 New Supply Chain
Mini Shai-Hulud extends to PyPI overnight. PyTorch Lightning backdoored with the same TeamPCP credential stealer.
TeamPCP · PyPI · Apr 30
What happened
The TeamPCP supply chain campaign that backdoored four SAP npm packages yesterday extended to the Python Package Index overnight. Malicious versions 2.6.2 and 2.6.3 of PyTorch Lightning were published to PyPI on April 30, 2026, carrying the same credential-stealing payload used in the SAP npm campaign. PyTorch Lightning is an open-source Python framework providing a high-level interface for PyTorch, used extensively in machine learning research, model training pipelines, and AI development environments. The project has over 31,100 stars on GitHub. Researchers from Aikido Security, OX Security, Socket, and StepSecurity identified the malicious versions within hours of publication. PyPI administrators quarantined both versions and they are no longer installable from the registry. The payload behavior matches the SAP campaign: a preinstall hook executes a credential stealer targeting GitHub tokens, npm tokens, cloud provider credentials, and Kubernetes secrets, then exfiltrates them to attacker-controlled public repositories. The extension to PyPI from npm in the same 24-hour window confirms TeamPCP is actively expanding its targeting across package ecosystems rather than being limited to a single registry.
🧪
EXECUTIVE IMPACT  ·  PyTorch Lightning is used in AI model training pipelines that typically run with broad cloud infrastructure access. A compromised training environment exposes not just development credentials but potentially model weights, training data, and the cloud compute credentials used to run expensive GPU workloads. For organizations investing heavily in AI development, the training pipeline is now an active attack surface.
DON'T MISS  ·  Two package ecosystems in two days. The speed of the PyPI expansion after the SAP npm campaign suggests TeamPCP had the PyTorch Lightning attack staged before they deployed the SAP packages. This is not reactive opportunism. It is a coordinated multi-platform campaign with pre-built targets across both npm and PyPI. Any team that uses packages from either ecosystem for AI development, data science, or enterprise cloud work should treat the credential rotation guidance from Issue 18 as applying to Python environments as well as Node.js environments. The threat model has changed: a supply chain attacker is now routinely targeting multiple package managers in parallel.
CyberSip Take
The PyPI versions were quarantined quickly, which is positive. The question worth asking is how any organization would know if their CI/CD pipeline pulled one of these versions between publication and quarantine. Most pipelines do not log the exact time of package downloads, and many use pip install without pinned versions in automated jobs. A pipeline that ran overnight on a schedule could have installed 2.6.2 or 2.6.3 without anyone noticing. The practical guidance from Issue 18 on npm still applies here and extends to pip. Pip installs without pinned version numbers are vulnerable to this class of attack in exactly the same way that unpinned npm installs are. If your AI or data science pipelines use requirements.txt files with ranges rather than exact versions, you are operating with a meaningful exposure to supply chain attacks that routinely target these ecosystems. Pinning to specific verified versions and running pip-audit as part of your CI/CD process are the two controls that would have caught this automatically.
Recommended actions
Derived from Aikido Security, OX Security, Socket, and StepSecurity independent research
03 New Linux CVSS 7.8
Copy Fail CVE-2026-31431. Any local Linux user escalates to root with a four-byte write. Exploit code is public.
CVE-2026-31431
What happened
Xint.io and Theori researchers disclosed CVE-2026-31431, a local privilege escalation vulnerability in the Linux kernel dubbed Copy Fail. The flaw allows any unprivileged local user to write exactly four bytes into arbitrary positions in the page cache, the in-memory representation of filesystem data. That seemingly small write capability is sufficient to corrupt kernel data structures in a way that results in root-level code execution. The vulnerability affects Ubuntu, Debian, Fedora, and Red Hat Enterprise Linux across a range of kernel versions. Patches are available from all major distribution maintainers. Public proof-of-concept exploit code has been released alongside the disclosure. The researchers confirmed reliable exploitation on current versions of the affected distributions. The CVSS score of 7.8 reflects the local access requirement. Remote exploitation is not possible directly, but the flaw becomes highly significant in any environment where an attacker has achieved limited initial access and needs to escalate privileges.
🐧
EXECUTIVE IMPACT  ·  Most enterprise Linux deployments run workloads as non-root service accounts for exactly this reason. Copy Fail eliminates that containment. Any process that achieves code execution at a low privilege level, through a web application vulnerability, a compromised container escape, or a supply chain attack, can now use this flaw to reach root on the host. Combined with this week's supply chain items, it forms a complete post-exploitation path.
DON'T MISS  ·  Container environments are specifically exposed in a way that most teams have not fully internalized. Containers are often assumed to provide isolation between workloads and the host. Copy Fail is a kernel vulnerability. The container shares the host kernel. A process that escapes container isolation and reaches the host kernel, or achieves execution directly on a node, can use this four-byte write to escalate to root on the node itself. Kubernetes clusters running unpatched host kernels are running with a known, public, reliable root escalation available to any workload that achieves node-level code execution.
CyberSip Take
Copy Fail is cleanly combined with everything else in this week's brief. Yesterday's supply chain attacks targeted developer environments and CI/CD pipelines running on Linux. Today's Linux kernel flaw provides the privilege escalation step that turns a compromised low-privilege process into root on the host. The two items are not connected by the same attacker, but they represent the attack chain an opportunistic actor would assemble from publicly available components today: supply chain compromise for initial access, Copy Fail for escalation. The patch is available and straightforward to apply. The risk is highest in environments where kernel updates require planned maintenance windows, which in practice means many production Kubernetes clusters will remain unpatched for days or weeks. Any cluster running workloads that process external input, run user-submitted code, or deploy AI models should treat this kernel update with the same urgency as a high-severity application vulnerability. The kernel is the foundation. Once root on a node is achievable, cluster-level controls like pod security policies and network policies become secondary concerns.
Recommended actions
Derived from Xint.io and Theori research disclosure and major Linux distribution security advisories
Still watching
Aging items · days 2–6
Items here remain operationally relevant but have no significant new developments. They drop off after 7 days.
Mini Shai-Hulud SAP npm packages (Issue 18). If any of the four affected versions were installed between 9:55 and 14:00 UTC April 29, rotate all credentials immediately. Check for .claude/settings.json and .vscode/tasks.json in recently cloned repositories. Day 2
GitHub CVE-2026-3854 (Issue 17). GHES admins must upgrade to 3.19.3 or later. Full vulnerability details are public. Treat unpatched GHES instances as actively exploitable. Day 3
Kentico Xperience CVE-2025-2749 and Quest KACE CVE-2025-32975 (Issue 18). Federal deadline May 15. Both allow unauthenticated access to management platforms. Day 2
Cross-source standouts
What connects this week
01
TeamPCP is running a coordinated multi-platform campaign and accelerating
Bitwarden CLI via npm on April 22. SAP CAP packages via npm on April 29. PyTorch Lightning via PyPI on April 30. Three supply chain attacks in eight days across two package ecosystems, each targeting developer and CI/CD credentials with the same payload architecture. The escalation from a security tool to an enterprise SAP framework to a widely used AI/ML library shows deliberate target selection moving up the value chain. Teams that assumed the Bitwarden incident was an isolated npm event now have evidence that the campaign targets any high-value package across any registry. The defense is the same across all three: pin dependencies to specific verified versions and run automated package integrity checks in CI/CD pipelines.
02
This week's three items chain into a complete attack path
Supply chain compromise via PyTorch Lightning provides initial code execution in a low-privilege process. Copy Fail provides a reliable path from that low-privilege process to root on the Linux host. cPanel access gives the attacker control of web server infrastructure and customer data. None of these three vulnerabilities require the same attacker to be involved. All three are exploitable today with public tooling. Any organization whose AI development pipeline runs on Linux and whose web infrastructure uses cPanel is sitting at the intersection of all three. The week's brief is not three separate stories. It is a threat model update.
Past issues · 7-day archive
Copied to clipboard
Our methodology
  • Federal cybersecurity advisories
  • Law enforcement threat bulletins
  • National vulnerability databases
  • Major vendor security advisories
  • Cross-referenced for relevance and corroboration
About CyberSip
A cyber brief for leaders and practitioners who need signal, not noise. Intelligence without the noise, published on cybersip.net.

CyberSip aggregates cybersecurity information from publicly available sources for informational purposes only. CyberSip does not provide legal, technical, incident response, or compliance advice, and makes no guarantee regarding completeness, accuracy, or timeliness. Organizations should validate all findings within their own environments and consult qualified professionals as appropriate. Original advisories, remediation guidance, and technical details remain with the referenced source organizations. Items remain active for no more than 7 days from publication unless materially updated.