Hackers Exploit cPanel Flaw to Wipe Websites and Deploy Ransomware

The cybersecurity space is having it rough these days. Attackers aren’t just breaking in; these week’s attacks show they’re literally walking in right through the front door, do as they please, and get out without being caught.

These latest threats weren’t just technical; they were organized, fast, and increasingly hard to spot. Here are some of the headline incidents this week.

The Big One: cPanel is Under Attack Right Now

A new cPanel flaw tagged as CVE-2026-41940 is hitting websites right now. If you’re running a site on WebHost Manager or cPanel, you’ve got to pay attention.

This weak spot lets attackers from anywhere just skip the login process altogether. Once they’re in, they can pretty much take over the control panel. The damage has been severe. Some attacks have led to complete wipes of websites and backups. Others have deployed variants of the Mirai botnet and a ransomware strain called Sorry.

This isn’t a “patch it next week” situation. It’s a patch-it-now situation.

Vishing Attacks Are Getting Frighteningly Effective

Two cybercrime groups, Cordial Spider and Snarky Spider, are running fast, high-impact attacks inside SaaS environments. They barely leave a trace.

Here’s how it works. The attackers call, text, or email employees directly. They direct victims to fake login pages that look exactly like their company’s single sign-on page. Once credentials are captured, the attackers move in. They remove and replace MFA devices, delete alert emails, and use residential proxy networks to look like regular home users.

CrowdStrike says these groups can move laterally through entire SaaS ecosystems with just one authenticated session. That’s a terrifying amount of access from one stolen login.

Copy Fail: The Linux Bug That Works Every Single Time

Most privilege escalation bugs are hit-or-miss. Not this one. CVE-2026-31431, also known as Copy Fail, works almost every time. It gets in through a logic bug in the cryptographic template of Linux kernel authentication. A 732-byte Python script is all it takes. The attacker gets elevated privileges instantly.

What makes it worse? Its origin can be traced back to a 2017 kernel update initially meant to make encryption faster. This indicates that it affects every major Linux distribution from that period onwards. Interestingly, this exploitation doesn’t leave any traces on disk since it only runs in memory. And it can escape container environments inside Kubernetes clusters.

CISA has included it on its Known Exploited Vulnerabilities catalog because of the high rate at which hackers are taking advantage of it.

Supply Chain Attacks Have Surged

TeamPCP is back, and they’re not slowing down. The group launched another round of supply chain attacks this week, hitting packages across npm, PyPI, and Packagist ecosystems. They’re calling it a ‘Mini Shai-Hulud’ attack.

Their previous hits include Trivy, Aqua Security’s open-source scanner, and KICS, a Checkmarx static analysis tool. Their method is clever and hard to detect. They compromise legitimate CI/CD pipelines and push poisoned package versions under real developer identities.

Amit Genkin from Upwind said it best. Each compromised pipeline spreads to the next, making credential theft a scaling problem across environments.

The advice? Check for affected versions immediately and rotate any credentials tied to impacted pipelines. Especially GitHub tokens and cloud credentials.

The threat to open-source ecosystems isn’t limited to opportunistic cybercriminals. Recent research has uncovered North Korean state-sponsored hackers systematically planting malicious packages across npm, PyPI, and other repositories, using stolen maintainer credentials to distribute backdoored code. For full details, see North Korean hackers plant malicious packages across open-source ecosystems.

GitHub Had a Frightening RCE Vulnerability

Security researchers at Wiz just uncovered a vulnerability in GitHub Enterprise and GitHub.com Serve. It lets anyone carry out a remote code execution.  And they gave it a CVE tag CVE-2026-3854. This flaw has an 8.7 as its CVSS score. That’s high.

Here’s the wild part: if you already have access to one of these GitHub setups, you could abuse this thing just by running a simple git push. That’s all it takes. Not much standing in your way after that.

On GitHub.com, that meant code execution on shared storage nodes. On GitHub’s Enterprise Server, it meant full server compromise, including access to all hosted repositories and internal secrets.

Microsoft patched it within six days of responsible disclosure. But the exposure window was real. Wiz called it one of the most critical SaaS vulnerabilities ever seen.

A New Ransomware Destroys Your Files Instead of Locking Them

VECT 2.0 ransomware has a serious bug. It wipes large files instead of encrypting them. That means recovery is impossible, even if you pay.

VECT 2.0 appeared in December 2025. In March 2026, the group announced a partnership with TeamPCP. They also partnered with BreachForums, offering every registered forum user access to the ransomware and negotiation platform.

Beazley Security analyzed the RaaS panel and found it covers the full operational lifecycle. From payload generation all the way through to payout.

AI Is Helping Hackers Deliver Malware

Threat actors are now slipping malware in through legitimate AI platforms. Acronis found more than 575 malicious “skills” across 13 developer accounts on Hugging Face and ClawHub.

This malware is not selective in its activity; it goes after both Windows and macOS systems. It has many variants, including cryptocurrency miners, trojans, and a macOS-focused infostealer called AMOS. The payloads and servers are hosted on repositories as staging infrastructure in multistep infection chains.

The trust people place in AI ecosystems is now being used against them.

Ransomware Attacks Getting Out of Hand

Fortinet reported that there were 7,831 confirmed ransomware victims worldwide last year, up from about 1,600 recorded in 2024. That’s a year-over-year increase of nearly 400%.

Crime as a Service tools such as FraudGPT, WormGPT, and BruteForceAI contributed to this spike. The top targets were manufacturing firms, business services, and the retail sector. In all these, 3,381 victims came from the US alone.

The Next Steps

No delay; attackers hit as soon as they discover new vulnerabilities. So developers have very little time to patch up holes before things go bad. For the latest threats, there’s a need to act quickly and find a way to patch them. This is a tiring reality that exists today.

Auditing your pipeline credentials will help you see if anything’s been compromised, and if you find any, change it ASAP. Tighten SaaS access. And treat every routine login as a potential threat. The attackers aren’t waiting. Neither should you.