Weekly Recap: cPanel Zero-Day, Linux Copy Fail, GitHub RCE, and TeamPCP's Supply Chain Spree

Attackers spent the week occupying systems rather than just breaching them. CVE-2026-41940, a critical authentication bypass in cPanel/WHM, is under active exploitation — with some intrusions wiping entire sites and backups, and others dropping Mirai variants and the Sorry ransomware strain. CISA added CVE-2026-31431 (“Copy Fail”) to its KEV catalog: a Linux kernel logic bug stemming from a 2017 crypto-template optimization that lets a 732-byte Python exploit deterministically escalate privileges in memory, leaving no disk artifacts and enabling container escape from any Kubernetes pod. Wiz also disclosed CVE-2026-3854, a GitHub flaw allowing authenticated RCE via a single git push — patched in six days, but severe enough to threaten shared storage nodes and full GitHub Enterprise Server compromise.

The human layer is being industrialized too. Cordial Spider and Snarky Spider are running vishing-led intrusions that hijack SaaS sessions through fake SSO pages, swap MFA devices, and route traffic through residential proxies to mimic home users — bypassing MFA and moving laterally on a single authenticated session. TeamPCP continued its “Mini Shai-Hulud” supply chain campaign across npm, PyPI, and Packagist, weaponizing legitimate CI/CD pipelines to publish poisoned packages under real maintainer identities, with each compromised pipeline seeding the next.

Two other items stand out. DEEP#DOOR is a new Python backdoor framework offering full surveillance (keylogging, clipboard, screenshots, mic/webcam, SSH key theft) plus destructive options like MBR overwrites and resource exhaustion. And VECT 2.0 ransomware — newly partnered with TeamPCP and BreachForums — turns out to wipe large files rather than encrypt them, making recovery impossible even if victims pay.