Cyber Intelligence Daily — May 01, 2026

Today's signal is loud and pointed in one direction: the trust layers underneath the internet are bleeding. A cPanel authentication bypass running on roughly 1.5 million exposed instances. A self-hosted GitHub Enterprise RCE that 88% of deployments hadn't patched as of Wiz's April 28, 2026 scan. Official SAP npm packages backdoored to harvest CI secrets. And the security scanner that's supposed to find these problems — Checkmarx — confirming attackers exfiltrated data from its private GitHub environment. The plumbing is the target, the patch latency is the blast radius, and federal agencies have until Sunday on the cPanel bug.

• CVE-2026-41940 — cPanel & WHM (all supported versions before 11.136.0.5): emergency patch released, actively exploited since at least February 23. KEV-listed, federal patch deadline Sunday, May 3. CRLF injection in login/session loading enables unauthenticated takeover of the host and every site it manages.
• CVE-2024-1708 — ConnectWise ScreenConnect: patched in 23.9.8, now confirmed actively exploited two years after disclosure. KEV deadline May 12. Path traversal that chains with CVE-2024-1709's auth bypass for full RCE.
• CVE-2026-32202 — Microsoft Windows Shell: incomplete patch for the APT28-exploited CVE-2026-21510. KEV deadline May 12. Akamai found the April 14 fix still allows attacker SMB callbacks when rendering folders containing malicious LNK files.
• CVE-2026-3854 — GitHub Enterprise Server (CVSS 8.7): patched on GitHub.com within hours of Wiz's April 28 disclosure, but Wiz telemetry, as of April 28, 2026, showed roughly 88% of self-hosted instances still vulnerable. One authenticated git push triggers backend RCE.
• Mini Shai-Hulud SAP npm packages — mbt 1.2.48, @cap-js/db-service 2.10.1, @cap-js/postgres 2.2.2, @cap-js/sqlite 2.2.2: trojanized with a preinstall hook that exfiltrates GitHub/npm tokens, AWS/Azure/GCP keys, and Kubernetes secrets. ~500K combined weekly downloads.
• CVE-2026-21385 & CVE-2026-22719 — Qualcomm chipsets (memory corruption) and Broadcom VMware Aria Operations (command injection): added to CISA KEV based on evidence of active exploitation.

If your company runs a website — or your hosting provider runs cPanel, which a generous slice of the internet does — this is Friday's emergency.

CVE-2026-41940 is a CRLF injection (a class of bug where carriage-return and line-feed characters smuggled into a request let an attacker forge structured server-side data) sitting in cPanel's login and session-loading logic. The mechanic, per Rapid7's writeup: cPanel writes request data into a session file before verifying who you are. Slip hidden line breaks into the password field, follow it with a deliberately malformed second request, and the injected data gets promoted into the active session cache. The system now thinks you're already authenticated and never bothers checking your password.

Successful exploitation hands over the cPanel host, its databases, and every website it manages. A Shodan scan returns roughly 1.5 million exposed cPanel instances. CISA added the bug to the KEV catalog with a federal patch deadline of Sunday, May 3 — a three-day window that tells you what CISA thinks of the exploitation telemetry.

The uncomfortable timeline detail, per Help Net Security: exploitation was observed in the wild as early as February 23, 2026, and the vulnerability was reportedly disclosed to cPanel about two weeks before the April 28 advisory — with cPanel's initial response being that nothing was wrong. Public PoCs are now circulating.

What changes if this succeeds as a campaign: shared-hosting providers become the single richest pivot point on the internet — one panel compromise yields hundreds to thousands of sites, all the databases behind them, and credentials harvested from cPanel-managed mail. What to watch: whether large hosting providers (GoDaddy, Bluehost, Namecheap, HostGator) issue forced-patch notices over the weekend, and whether defacement-style or webshell-laden mass-compromise reports start surfacing on Monday. Patch to 11.136.0.5 or later. If you can't, firewall ports 2083, 2087, 2095, 2096 and stop cpsrvd and cpdavd.

Wiz disclosed CVE-2026-3854 on April 28: a CVSS 8.7 flaw where any authenticated user with push access could trigger remote code execution on GitHub's backend with a single git push. The bug came from one internal service trusting metadata supplied by another — the kind of design flaw that's invisible until it isn't.

GitHub.com was patched within hours of Wiz's April 28 disclosure, so SaaS users are fine. The problem is self-hosted GitHub Enterprise Server, where, as of April 28, 2026, Wiz's scanning showed roughly 88% of internet-exposed instances still vulnerable. That's not a long tail. That's the entire body.

What changes if exploitation spools up: GitHub Enterprise is where regulated industries — banks, defense contractors, healthcare — keep the source code they explicitly chose not to put in the cloud. An RCE there isn't a code-leak risk; it's a credential-harvesting position adjacent to CI/CD, signing keys, and deployment pipelines. Failure mode for defenders looks like this: a quiet weekend, then Monday morning incident calls from organizations that assumed self-hosting was the conservative choice. Watch GreyNoise telemetry for scanning bursts against :443/api/v3/ patterns over the next 72 hours.

Checkmarx confirmed Tuesday that the supply-chain compromise it disclosed in March didn't stop at poisoned developer tools. Attackers also exfiltrated data from its GitHub environment on March 30, 2026, riding in through the earlier Trivy-related incident. LAPSUS$ posted Checkmarx to its leak site over the weekend and claimed to hold source code, employee databases, API keys, and MongoDB and MySQL credentials. Checkmarx didn't confirm every line of that boast but did acknowledge the GitHub theft and tied it to the March 23 incident. Mandiant has been retained by Checkmarx.

The irony is structural: Checkmarx sells static application security testing — the tool that's supposed to find vulnerabilities in your code. Russian outlet Xakep.ru ran the private-repo angle in parallel, providing the earliest local-language detail on what was lifted.

What changes if this gets weaponized: scanner internals reveal not just detection logic but its blind spots — the bypass patterns and edge cases the scanner misses. Attackers who study them craft payloads that slide through enterprise scanning pipelines. The observable signal: novel exploits in the wild that look surgically tuned to evade Checkmarx's specific heuristics, particularly in the npm and Python ecosystems where the company has heavy footprint. The initial malware poisoning was loud. This quieter follow-on is the long-tail risk.

If your team builds anything on SAP's Cloud Application Programming Model, check your dependency logs before lunch. BleepingComputer, citing Aikido and Socket, reported Wednesday that four official SAP-published npm packages — mbt 1.2.48, @cap-js/db-service 2.10.1, @cap-js/postgres 2.2.2, @cap-js/sqlite 2.2.2 — were trojanized with a preinstall hook. Combined weekly downloads: roughly 500,000.

The hook fetches and runs a Bun binary, then rifles through the build environment for GitHub and npm tokens, AWS/Azure/GCP credentials, Kubernetes secrets, GitHub Actions secrets, and SSH keys. Researchers at both firms note behavior overlap with prior TeamPCP supply-chain operations — the same threat cluster behind the LiteLLM compromise that fed the Mercor breach.

What changes if this is the new normal: the build pipeline itself becomes the credential heist. Every CI run is an opportunity for exfiltration, and rotation has to happen at the secret level, not the package level. What failure looks like for defenders: months from now, a cloud account is drained or a customer environment is compromised, and the forensic trail leads back to a single April build. Identify any installs of those exact versions, purge, and rotate every secret reachable from those build environments. Don't wait for a SAP postmortem.

Xakep.ru reports overnight on a threat cluster it's tracking as HeartlessSoul, conducting targeted operations against Russian government agencies and industrial-sector organizations with a specific focus on geolocation telemetry. Unlike standard espionage targeting correspondence or intellectual property, this campaign is built around precise location exfiltration — the kind of collection that maps personnel movement and asset positioning. Xakep describes custom tooling and persistent access, and the absence of English-language coverage suggests the activity is currently visible only inside Russian incident response circles. Geolocation harvesting historically precedes physical or kinetic targeting, which makes this an early signal worth tracking even outside the region. Source: Xakep.ru — Russian. No English-language coverage confirmed at time of publication.

Xakep.ru reports that Cloudflare classified the domain associated with Max — the Russian-developed messenger that Moscow has positioned as a domestic alternative to WhatsApp and Telegram — as spyware in its threat categorization. The classification matters operationally because it influences how Cloudflare's security products and partner ecosystem treat traffic to and from the domain. For users outside Russia, the practical effect is that enterprise security stacks consuming Cloudflare threat feeds may now flag Max-related traffic. The political implication, given Max's quasi-official status, is sharper than the technical one. Source: Xakep.ru — Russian. No English-language coverage confirmed at time of publication.

A control panel managing 1.5 million websites quietly handing out admin sessions since February, an autonomous AI agent wiping a production database in less time than it takes to sneeze, and a static application security scanner whose private repos are now being studied for blind spots by the people it was built to stop. The plumbing is the target this week, and the only people who haven't noticed are the 88% of GitHub Enterprise admins who remained unpatched as of April 28, 2026.

Stay paranoid. Patch on Sunday.

If someone you know runs cPanel, ScreenConnect, or a self-hosted GitHub box — forward this before they find out the hard way.