The Register

Start date pushed back a year, annual cost up a third, and UK's now handing out eight million passports a year

The Home Office has increased the annual value and overall duration of its new passport production contract, increasing it to a total of £576 million as it starts a third round of engagement with suppliers.…

The wave of supply chain attacks aimed at security and developer tools has washed up more victims, namely SAP and Intercom npm packages, plus the lightning PyPI package. The newly compromised packages as of Thursday include intercom-client@7.0.5 (according to Google-owned Wiz) and intercom-client@7.0.4 (says supply-chain security firm Socket) and lightning@2.6.2 and 2.6.3. Attackers infected all versions with the same credential-stealing malware that, on Wednesday, poisoned multiple npm packages associated with SAP's JavaScript and cloud application development ecosystem. The SAP-related compromise is a Shai-Hulud-worm style campaign that calls itself Mini Shai-Hulud. So far, these SAP-related npm packages include: mbt@1.2.48 @cap-js/db-service@2.10.1 @cap-js/postgres@2.2.2 @cap-js/sqlite@2.2.2 Collectively, these four packages receive about 572,000 weekly downloads and are widely used by developers building cloud applications. SAP did not answer The Register's questions about the compromise and instead sent us this statement: "A security note is published and available for SAP customers and partners." The note is only accessible to logged-in customers. These latest offensives are called "Mini Shai-Hulud worm” attacks because of similarities to the earlier self-propagating Shai-Hulud malware that targeted npm packages. Both Wiz and Socket attributed the SAP compromise to TeamPCP – the cybercrime crew linked to the earlier Checkmarx, Bitwarden, Telnyx, LiteLLM, and Aqua Security Trivy infections. The two security shops also note that the Thursday attacks on the Intercom and lightning packages appear to contain the same malicious code seen in the SAP operation. Here's what has happened in the world of supply-chain attacks over the past 48 hours. SAP-related npm packages On April 29, TeamPCP compromised four official npm packages from the SAP JavaScript and cloud application development ecosystem and published the poisoned releases between 09:55 and 12:14 UTC. The compromised packages contain malicious preinstall scripts set to execute automatically on every npm install, and run attacker-controlled code before any application code runs. This new campaign deploys a multi-stage payload that steals developer secrets, self-propagates, encrypts all the stolen goods, and then exfiltrates the now-locked secrets into a new GitHub repository under the victim's own account. "The second-stage payload is a credential stealer and propagation framework designed to target both developer environments and CI/CD pipelines," the Wiz kids said on Thursday. "It collects sensitive data including GitHub tokens, npm credentials, cloud secrets (AWS, Azure, GCP), Kubernetes tokens, and GitHub Actions secrets – leveraging advanced techniques such as extracting secrets from runner memory. Exfiltration occurs via public GitHub repositories, where it posts encrypted payloads. Additionally, the malware includes propagation logic to infect additional repositories and package distributions." Plus PyPI package lightning Then on Thursday, an additional package was poisoned to execute credential-stealing malware on import. Up first: PyPI package Lightning versions 2.6.2 and 2.6.3. Lightning is a widely used deep learning framework for training and deploying AI products. Developers download it hundreds of thousands of times every day. "The obfuscated JavaScript payload contains many similarities to the Shai-Hulud attacks, overlapping in targeted tokens, credentials and obfuscation methods. Socket also identified signs that router_runtime.js both poisons GitHub repositories and infects developer npm packages," according to Socket, which also published a separate Mini Shai-Hulud supply-chain campaign page that it updates as new information comes to light. And Intercom's npm package Also on Thursday: Socket and Wiz sounded the alarm on a new compromise of the intercom-client npm package. Intercom is a customer communications platform, and intercom-client is a widely used official SDK for Intercom's API. It sees about 360,000 weekly downloads, and npm lists more than 100 dependent projects. However, as Socket notes, the real exposure likely extends beyond these direct dependencies because the package is commonly installed in backend services, developer environments, and CI/CD pipelines that integrate with Intercom's API. "The attack closely resembles the lightning@2.6.2 PyPI attack from earlier today, as well as the TeamPCP-linked supply chain campaign we reported yesterday affecting SAP CAP and Cloud MTA npm packages," Socket wrote. Neither Intercom nor Lightning immediately responded to The Register's requests for comment. We will update this story when we hear back from any of the compromised organizations. ®

Mini Shai-Hulud caught spreading credential-stealing malware

The wave of supply chain attacks aimed at security and developer tools has washed up more victims, namely SAP and Intercom npm packages, plus the lightning PyPI package.…

Give a man a phishing kit and he might get lucky a couple of times; teach an AI to phish and it'll change the landscape, if KnowBe4's latest phishing trends report is accurate. The cybersecurity and phishing awareness outfit released the seventh edition of its Phishing Threat Trends report on Thursday, and it appears that the internet's legions of phishermen are turning to AI in more ways, and more often, than ever thanks to their widespread adoption of AI. Nearly 86 percent of phishing campaigns KnowBe4 threat researchers have picked up on in the past six months have involved some sort of use of AI, according to the report. That's a gradual, steady increase over the past two years, too. 80 percent of phishing campaigns made use of AI in 2024, and 84 percent did so last year, suggesting holdouts are increasingly adopting the tech to broaden their reach.  That number may be troubling enough, but it's how AI is being used that KnowBe4 points out is the biggest problem. Well-written, highly personalized AI-crafted phishing messages are bad enough, but AI is also automating the reconnaissance and info gathering phases of a campaign, speeding up the phishing process and giving attackers more time to shift to multiple attack vectors to better gain their victims' trust.  While the report doesn't compile vectors as a share of total phishing attacks, it does note that there has been a 49 percent increase in phishing attacks that involve calendar invites, and a 41 percent increase in attacks that involve Microsoft Teams messages impersonating coworkers like IT support employees in order to harvest credentials and the like. Savvy multi-vector phishing operations still often start with an email, and that's one of the big areas where AI is broadening phishing horizons, according to the report. Automated reconnaissance enables attackers to comb through masses of information, extract target data, and feed that into AI-generated email lures. Those polymorphic phishing campaigns take a base template, jazz it up and make it unique to each individual, and voilà, a phishing message that's far less likely to be noticed than the typical one that relies on misspellings and bad grammar to weed out those capable of critical thought.  The report's data suggests that emails are only the start of the modern phishing campaign, however, as those increases in calendar invites and malicious Teams messages are often the second stage in an attack.  As IT teams are one of the most common groups impersonated by phishing attacks, one can easily imagine a phishing email followed by a Teams message from someone claiming to be from the help desk and demanding you click on a link to reset your password, or read and sign a new policy via DocuSign, etc. Both methods ultimately deliver credentials or remote access to an attacker, giving them what they were after. According to Microsoft, phishing campaigns involving AI lures are 4.5 times more effective than human-crafted ones. Meanwhile, the FBI says US cybercrime losses hit a record $20.87 billion last year, with phishing the most common complaint and AI-related fraud accounting for about $893 million of that total. ®

KnowBe4 says 86% of phishing it tracked used AI, and inboxes are only the start

Give a man a phishing kit and he might get lucky a couple of times; teach an AI to phish and it'll change the landscape, if KnowBe4's latest phishing trends report is accurate.…

China's "hacker-for-hire ecosystem has gotten out of control," according to Brett Leatherman, assistant director of the FBI's cyber division. This ecosystem includes private technology companies operating at the behest of the PRC's intelligence agencies while allowing Beijing to maintain plausible deniability.  "Motivated by profit, this network of private companies and contractors in China cast a wide net to identify vulnerable computers, exploit those computers, and then identify information that it could sell directly or indirectly to the PRC government," Leatherman told reporters on Thursday. Or, if the Chinese government won't buy it, the hackers-for-hire "turn from cyber mercenaries into cyber dealers," selling access to the compromised systems and stolen data to third parties on the dark web. "This leads to a less secure environment that is ripe for further lawlessness," Leatherman said.  Xu Zewei's extradition and the criminal charges against him, however, should send a message to China's contractor ecosystem, he added: "The protection you assume from operating inside China does not extend the moment you cross a border." Xu, a Chinese national, was extradited from Italy to the United States over the weekend and charged with nine hacking-related crimes. Italian cops arrested Xu last July. According to American prosecutors, China's Ministry of State Security (MSS) and Shanghai State Security Bureau allegedly directed Xu to hack thousands of computers and steal sensitive information in a way that hid the Chinese government's involvement. This happened between February 2020 and June 2021, and some of the digital intrusions were part of the 2021 campaign in which Hafnium (now better known as Silk Typhoon) exploited zero-day bugs in Microsoft Exchange and compromised hundreds of thousands of servers worldwide, including 12,700 organizations in the US alone. Other intrusions targeted American universities and researchers working on COVID-19 vaccines, treatments, and testing during the height of the pandemic, prosecutors allege.  The indictment claims that at the time, Xu worked as a general manager at a company named Shanghai Powerock Network, which the feds previously linked to Hafnium/Silk Typhoon. "Among other things, Xu worked on taskings from the SSSB, supervised hacking activity of other Powerock personnel in support of such taskings, coordinated hacking activities with fellow hacker Zhang Yu, and reported the results of the hacking activities to the SSSB," according to the indictment [PDF]. The indictment also charges Zhang, a director at Shanghai Firetech Information Science and Technology Company who allegedly operated at the direction of the SSSB, along with two unnamed SSSB officers who directed the hacking operations. Court records show Xu is charged with conspiracy to cause damage to and obtain information by unauthorized access to protected computers, to commit wire fraud, and to commit aggravated identity theft, which carries a maximum penalty of five years in prison; conspiracy to commit wire fraud and two counts of wire fraud, each carrying a maximum penalty of 20 years; two counts of obtaining information by unauthorized access to protected computers, each carrying a maximum penalty of five years; two counts of intentional damage to a protected computer, each carrying a maximum penalty of 10 years; and one count of aggravated identity theft, which carries a mandatory consecutive two-year sentence. Zhang remains at large, according to the DoJ. ®

One alleged cyber contractor was extradited to the US over the weekend

China's "hacker-for-hire ecosystem has gotten out of control," according to Brett Leatherman, assistant director of the FBI's cyber division.…

If you use Gemini CLI, watch out: Google has patched a CVSS 10.0 vulnerability in its command-line AI tool and is warning anyone running it in headless mode, or through GitHub Actions, to review their workflows. The update to Gemini CLI and the run-gemini-cli GitHub Action, published last week but largely unnoticed until one of the two credited research teams published its writeup on Wednesday, fixes a critical - and apparently easy-to-abuse - flaw tied to over-permissive workspace trust settings. Per Google's advisory published to GitHub, the issue stems from how the headless mode of Gemini CLI (frequently used in CI/CD environments and increasingly by AI agents) handles workspace folder trust: It automatically assumes any of the workspace folders it's active in are trusted for the purpose of loading configuration files and environment variables.  We trust you can see the problem here.  Novee researcher Elad Meged discovered the vulnerability (independently of Pillar Security's Dan Lisichkin, who Google also credited for the find), he told us, while studying CI/CD supply chain attack vectors.  "This vulnerability had nothing to do with prompt injection or the model 'deciding' to act maliciously," Meged told The Register in an email. "It was an infrastructure-level issue, where attacker-controlled content was silently accepted as trusted configuration and executed before any sandbox was initialized." A CVE hasn't been issued for the issue yet, but Meged told us Google has confirmed to him that it is in the process of assigning one. Novee also scored a bug bounty for the find, but declined to disclose how much.  A necessary fix, but expect fallout "This is potentially risky in situations where Gemini CLI runs on untrusted folders in headless mode," Google explained. "If used with untrusted directory contents, this could lead to remote code execution via malicious environment variables in the local .gemini/ directory."  Interactive mode in Gemini CLI does not behave the same way: it requires users to explicitly trust a folder before workspace configuration files are loaded, and the update brings headless mode into line with that behavior. The mitigations shipped in Gemini CLI versions 0.39.1 and 0.40.0-preview.3, but here’s the catch: the run-gemini-cli GitHub Action defaults to the newest Gemini CLI release unless users pin a specific version. In other words, anyone using the GitHub Action as part of a workflow without specifying a CLI version may have some cleanup to do. "GitHub Actions and other automated pipelines that rely on the previous automatic trust behavior will fail to load workspace-specific settings until they are updated to use explicit trust mechanisms," Google said.  The update may also break workflows that relied on Gemini CLI’s --yolo mode, which previously bypassed fine-grained tool allowlists and automatically approved agent actions without prompting. "In previous versions, when Gemini CLI was configured to run in --yolo mode, it would ignore any fine grained tool allowlist," Google explained in the advisory. "In version 0.39.1, the Gemini CLI policy engine now evaluates tool allowlisting under --yolo mode … As a result, some workflows that previously depended on this behavior may fail silently unless tool allowlists are modified to fit the task."  Those who do specify a version, says Google, ought to make changes to allow the newest, safest version to run and be prepared to fix those workflows anyhow.  Damned if you do, damned if you don't, in other words, but the fix is necessary, as explained by the folks at Novee Security, one of the credited finders. Across every workflow Novee tested the vuln on, the company noted, the results were devastatingly the same. "Code execution on the host running the agent gave an unprivileged outsider access to whatever secrets, credentials, and source code the workflow could reach," the Novee team explained. "Enough for token theft, supply-chain pivots, and lateral movement into downstream systems." In short, take action as Google suggests, or avoid putting AI agents in sensitive environments until the risks are fully understood. ®

This CVSS 10.0 RCE vuln has been patched, automatically for some, so better check those workflows

If you use Gemini CLI, watch out: Google has patched a CVSS 10.0 vulnerability in its command-line AI tool and is warning anyone running it in headless mode, or through GitHub Actions, to review their workflows.…

French prosecutors say police detained a 15-year-old on April 25 over the alleged theft of millions of records from France Titres (ANTS), the agency handling secure documents. The Paris Prosecutor's Office announced on Thursday that the minor, suspected of using the online alias "breach3d" and not named because French law protects minors, faces two computer crime allegations linked to an intrusion in which between 12 million and 18 million lines of data were offered for sale on cybercrime forums. It formally opened a judicial investigation on April 29, covering alleged fraudulent access to a state-run automated data processing system and the extraction of data from it. Each offense carries a potential prison sentence of seven years and a maximum €300,000 (~$350,000) fine. Public Prosecutor Laure Beccuau has requested that the minor, whose pronouns, like their name, were also not specified, be formally charged and placed under judicial supervision. Beccuau said that France's office against cybercrime (OFAC) was informed in April of a cyberattack against ANTS, which handles passports, ID cards, and other secure documents, and that ANTS confirmed the reports on April 13. The Paris Public Prosecutor's Office was notified three days later and launched an investigation into the case the same day. Public confirmation of the attack came from the French Interior Ministry on April 20, although it revealed no details about the suspected culprit. French police detained the 15-year-old on April 25, and prosecutors announced [PDF] on Thursday that they were seeking formal charges and judicial supervision. The seller using the alias "breach3d" initially advertised the data trove as containing 18-19 million records – slightly above the upper range cited by Beccuau on Thursday – and the types of data offered for sale aligned with what the Interior Ministry had described. These were: login IDs, full names, email addresses, dates of birth, unique account identifiers, postal addresses, and telephone numbers, but not any attachments such as scans or photos. If the scale claimed by breach3d holds up, and if the records each pertained to unique individuals, this would constitute a breach affecting roughly a third of France's population. France's approach to punishing minors via its legal system is typically geared toward re-education and rehabilitation rather than prison time. While those aged between 13 and 16 can face time in juvenile detention, it is often used as a last resort measure. The maximum sentences and fines for the charges the 15-year-old in this case faces are upper limits imposed on adult offenders, and would likely be lowered substantially in cases involving a minor, like this one. ®

Two computer crime allegations follow up to 18M lines of data surfacing online

French prosecutors say police detained a 15-year-old on April 25 over the alleged theft of millions of records from France Titres (ANTS), the agency handling secure documents.…

Nearly half of UK businesses are still getting breached, and in many cases, the attacker's big breakthrough is an employee clicking "sure, why not" on a fake login page. The UK government's latest Cyber Security Breaches Survey, released on Thursday, puts the hit rate at 43 percent of businesses and 28 percent of charities reporting a cyber incident in the past year, equating to approximately 612,000 UK businesses and 57,000 UK charities, numbers that have barely budged since the last time it asked. Most of these breaches do not start with anything especially cutting-edge. Phishing leads "by far," usually via impersonation emails that send staff to fake login pages or get them to click links, open attachments, or hand over sensitive information. Everything else barely gets a look-in. Around 85 percent of businesses that reported a breach or attack said it involved phishing, leaving malware, ransomware, and unauthorized access trailing some distance behind. Among businesses that report break-ins, about a quarter say they occur at least once a week, with a smaller share reporting daily occurrences. Charities are seeing attacks land more often, with the share reporting weekly incidents rising from 18 percent to 26 percent over the past 12 months.  Against that backdrop, there are signs that organizations are trying to get a grip of the problem. Around six in ten medium and large businesses report having a formal cybersecurity policy in place, and incident response planning and cyber insurance have both ticked up year on year. Larger organizations are consistently more likely to have these measures in place than smaller ones. Policies on ransomware are still a bit of a mixed bag. Around half of businesses (49 percent) and a third of charities (34 percent) say they have a rule not to pay up, about the same as last year. Plenty are still in the dark, with roughly a quarter of businesses and a fifth of charities saying they do not know what their policy is. Most are covering the basics – at least two-thirds of organizations say they have things like updated malware protection, cloud backups, password rules, firewalls, and restricted admin access in place – but after that, it starts to tail off. Fewer report using measures such as two-factor authentication, formal data backup rules, policies on personal data storage, VPNs, or user monitoring. What's more, among small businesses, some of the basics have slipped compared with last year. The proportion carrying out cyber security risk assessments has dropped to around four in ten, reversing earlier gains and suggesting those improvements have not stuck. Supply chains remain another weak spot. Only around one in seven businesses say they review the risks posed by their immediate suppliers, and fewer go any further. The survey puts it at 15 percent checking direct suppliers and just 6 percent looking at the wider chain. Charities are lower again, at 9 percent and 4 percent, respectively. Then there is the data itself. Around 14 percent of businesses and 22 percent of charities say they hold personal data that is not protected by measures like encryption or anonymization, which means if someone does get in, there is a decent chance they will find something useful. Overall, breach rates remain high, and phishing continues to do most of the work. The basics exist, they're just not applied everywhere they should be. ®

Turns out the real problem is not AI but staff still clicking on dodgy emails from 'IT support'

Nearly half of UK businesses are still getting breached, and in many cases, the attacker's big breakthrough is an employee clicking "sure, why not" on a fake login page.…

EXCLUSIVE A novel China-linked threat group infiltrated more than a dozen critical networks in Poland, Asian countries, and possibly beyond, beginning in December 2024 and with activity uncovered as recently as this month. In a report shared exclusively with The Register, TrendAI researchers say the new group, which they track as Shadow-Earth-053, targeted government agencies, defense contractors, technology firms, and the transportation industry. The Chinese spies typically gain initial access to victim environments via vulnerable Microsoft Exchange Servers.  In "multiple" of these intrusions, they compromised victim organizations up to 8 months before deploying ShadowPad, a custom backdoor used by China's APT41 for almost a decade, and shared among multiple China-aligned groups since 2019. About half of the victims were also compromised by a related group, Shadow-Earth-054, which exploited the same vulnerabilities and shared identical tool hashes and overlapping techniques with Shadow-Earth-053. The 054 group has some network overlaps with Chinese crews tracked as CL-STA-0049 by Palo Alto Networks' Unit 42, REF7707 by Elastic Security Labs, and Earth Alux. Tom Kellermann, TrendAI VP of AI security and threat research, likened the new Chinese groups to Salt Typhoon and Volt Typhoon.  Salt hacked telecommunications and government agencies to gain stealthy, long-term access to victim organizations going back as far as 2019. And Volt followed in mid-2021, burrowing deep into critical US networks to preposition for future destructive attacks. Neither of these hacking campaigns came to light until late 2023.  "Shadow-Earth-053 followed Shadow-Earth-054, conducting reconnaissance and borrowing into the defense industries and defense ministries of nation states that are aligned with the US and also supportive of Taiwan's independence," Kellermann said in an exclusive interview with The Register.  "I'm concerned about what they are leaving behind: What type of C2 on a sleep cycle is still lingering in these environments? Whether or not they have already prepositioned wipers or destructive capabilities," Kellermann continued. "They're following in the footsteps of the Typhoon campaigns, they look like the younger brother and sister of the Typhoon campaigns, and they're island-hopping through the defense sectors and ministries of those nations for a reason." Shadow-Earth-053's victims spanned at least eight countries, according to TrendAI's investigation. Most of the observed targets were located in Pakistan, Thailand, Malaysia, India, Myanmar, Sri Lanka, and Taiwan, with at least one target - a defense-sector organization - in Poland.   Kellermann also suggested that the network intruders are paying close attention to next month's summit between US President Trump and Chinese President Xi. "Volt essentially had unrequited access to critical infrastructures, energy sector, etc., and it was all for the purposes of ongoing espionage, but most importantly, maintaining sabotage capability, like destructive attacks, should geopolitical tension exacerbate," Kellermann said in an exclusive interview with The Register. "Here we are, leading up to the May 14 and 15 meeting between President Trump and President Xi and, God forbid, the 15th goes sideways." Exchange server bugs: the gifts that keep on giving Shadow-Earth-053 typically exploits external services to hack into targeted networks. The years-old ProxyLogon (CVE-2021-26855), which can be chained with other Microsoft Exchange Server bugs (CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) to achieve remote code execution, is a favorite.  Salt Typhoon and other Chinese government snoops also abused ProxyLogon to breach critical US networks back in 2021, when it was first disclosed, and it's remained a top-exploited vulnerability ever since. So if you haven't already: patch these Exchange server bugs. After compromising the sever, Shadow-Earth-053 installs web shells - Godzilla is a commonly used one with this and other China-based crews - and then deploys the ShadowPad backdoor. In one instance, the snoops delivered ShadowPad malware via legitimate, and popular, remote desktop tool AnyDesk. TrendAI says this suggests the attacker either used a prior compromise or abused stolen credentials. "The limited visibility into this intrusion prevents us from determining whether this represents an alternative initial access method or a later-stage deployment following an unobserved entry point," the authors wrote.  Shadow-y malware and legit Windows tools In a separate instance, the incident responders found Linux NoodleRat backdoors - also widely used by Chinese espionage and cybercrime groups - deployed after Shadow-Earth-053 exploited another widely-abused Microsoft security hole: React2Shell (CVE-2025-55182), a critical flaw in React Server Components that can allow attackers to run arbitrary code on vulnerable servers. The group takes measures to avoid being detected on networks and make their malicious traffic appear legitimate. In one victim's environment, TrendAI detected RingQ, an open-source tool developed in China and available on GitHub that can be used to pack malicious binaries to evade detection by security solutions. The intruders also use domain names that impersonate products, security companies, or are related to the DNS protocol. In some instances, the group renamed legitimate Windows system binaries to evade process-based detection.  "They're using tools that we've seen before, and I think they are doing that on purpose, just to get lost in the noise," Kellermann said.  To move laterally through victim environments, Shadow-Earth-053 uses Windows Management Instrumentation Command-line (WMIC) and installs backdoors onto additional hosts. In one environment, the group propagated web shells to additional internal Exchange servers by using existing administrative credentials - and they continue collecting credentials as they travel through compromised systems, using tools like Evil-CreateDump. Targeting Poland, a NATO country, "highlights how cyber espionage and a cyber warfare is burgeoning," Kellermann said. "And not only is it burgeoning, but this is the direct prepositioning of these assets to colonize these infrastructures for the purpose of not just espionage, but long term sabotage, if need be." ®

Just in time for the Trump-Xi summit

Exclusive  A novel China-linked threat group infiltrated more than a dozen critical networks in Poland, Asian countries, and possibly beyond, beginning in December 2024 and with activity uncovered as recently as this month.…

Emergency patches are available for a critical vulnerability in cPanel and WHM that allows attackers to bypass authentication and gain root access to servers managed using it. Given that cPanel and WebHost Manager (WHM) control panel help manage properties for  70 million domains, by some estimates, and the critical severity of CVE-2026-41940 (9.8), the vulnerability is being considered a disaster by those in the security scene. It also affects every single supported version of the software prior to the patch. For the uninitiated, cPanel and WHM are both Linux-based control panels. The former is used to manage websites, databases, file transfers, email configurations, and domains, while WHM is used for servers. They are both backbones of the internet. Breaking into them would provide an attacker with unfettered access to all the secrets associated with these functions. Or, as watchTowr put it: "Think of it as the keys to the kingdom, and then the keys to every individual apartment inside the kingdom. If the kingdom were the internet and the apartments were websites. For everything." Perhaps the worst part is that early signals from defenders, such as KnownHost CEO Daniel Pearson, suggest it may have been exploited as a zero-day for at least 30 days. Or maybe worse still is the nature of the vulnerability itself – that attackers can gain root access while bypassing all kinds of authentication – a feat worthy of the near-maximum CVSS. The vulnerability also affects WP Squared, a WordPress hosting platform owned by cPanel. Successfully exploiting CVE-2026-41940, which can be summarized as a carriage return line feed (CRLF) flaw – meaning the application that was attacked does not properly sanitize user-supplied input – involves just a few steps.  An attacker creates a session cookie by completing a failed login attempt and then sends a request with a specially crafted header with an instruction to change privileges to root. They can then use that cookie to log into cPanel and WHM as root. In normal scenarios, cPanel would encrypt attacker-supplied values, but in unpatched versions, attackers can remove a hex value and stop this process from running, allowing the plaintext make-me-root commands to pass through like any other trusted code. Above is a high-level, concise summary of the procedure. Those looking for a winding tale of how the experts figured out the attack path, watchTowr published its workflow in its typical tongue-in-cheek style. The prevailing advice is that if you run cPanel and WHM, get patching ASAP. This is a bad one, and given the likelihood of zero-day exploitation, running cPanel's detection script can help defenders understand whether it's just a patch they need, or if it's pull the cables out time. watchTowr also published its own detection artefact generator to help defenders sniff out signs of compromise. ®

Emergency patches out now for those managing the millions of domains assumed to be affected

Emergency patches are available for a critical vulnerability in cPanel and WHM that allows attackers to bypass authentication and gain root access to servers managed using it.…

Investigation finds no single cause for soldiers falling ill, just bad bolts, cold air, and apparently the soldiers themselves

Britain's notorious Ajax armored vehicles are being accepted back from the manufacturer after investigations found no single cause for the symptoms plaguing crews, meaning soldiers will need to grin and bear it.…

PWNED Welcome, once again, to PWNED, the weekly column where we recount the adventures of IT explorers who found their own pile of quicksand and then jumped right into it. This week's story involves keeping sensitive information in a very vulnerable place and then not protecting it adequately. The tale comes to us courtesy of Stanislav Kazanov, head of strategic practices at Innowise, a software development firm. A few years ago Kazanov and his group were hired to perform compliance and data architecture audits on a fintech startup where execs had invested more than $1 million to develop a "military grade" security system complete with biometric MFA, endpoint detection, and a ton of physical security. During the audit, Kazanov logged onto the company's SharePoint site and found a folder called "DevOps_Handoff" on the company-wide intranet that any employee could access. Within that folder was a spreadsheet with the very obscure and deceptive filename Prod_DB_Root_Creds_DO_NOT_SHARE.xlsx. Clearly, this naming convention would throw off any would-be hackers. On the bright side, the Excel file was password-protected. So, at least there's that, but was there really that much protection? When Kazanov asked the lead engineer for the password, he was so embarrassed that he looked at his feet and mumbled the answer: "It's the [company name] + [year]." We don't know the actual name of the company, but let's just say it was Contoso. The password would therefore be contoso2026. That's not exactly "admin123" but it's close enough to guess. The lead engineer explained to Kazanov the reason for the file's existence. Apparently, the internal DevOps team and an external DBA team had a disagreement about which enterprise-grade password manager to use. To "temporarily" solve this disagreement, they dumped the root DB credentials and master AWS IAM keys into this spreadsheet, which had existed for a whopping eight months at the time our hero found it. Our story ends here. We assume this problem was resolved after Kazanov's intervention and before tragedy struck. However, it shows that disagreements over how to secure resources can lead to dangerous compromises. In this case, the internal DevOps team should have had the final say over what password manager the contractors and they would use. At no point should they have allowed this conflict to result in putting the secrets into a spreadsheet, even if the spreadsheet had strong password protection. The most basic principle of cybersecurity is to give individual access and credentials to only those who really need it. But here the file was on an intranet that was accessible to all employees and even contractors like Kazanov. Since this was a fintech firm, the data involved could have related to millions or even billions of dollars of people's money. This is a serious situation and anyone who is this sloppy with security doesn't deserve to handle a dime in assets or transactions. Have a story about someone leaving a gaping hole in their network? Share it with us at pwned@sitpub.com. Anonymity available upon request. ®

Great idea, guys. Let's keep all of the data in an Excel file with weak password protection

PWNED  Welcome, once again, to PWNED, the weekly column where we recount the adventures of IT explorers who found their own pile of quicksand and then jumped right into it. This week's story involves keeping sensitive information in a very vulnerable place and then not protecting it adequately.…