This morning’s theme is simple: if trusted plumbing gets poisoned, attackers do not need exotic tradecraft to win.
Top line: Three stories deserve immediate attention this morning: official SAP npm packages were backdoored to steal developer and CI secrets, cPanel and WHM pushed an emergency fix for a critical authentication bypass, and Linux maintainers are racing to patch the new Copy Fail privilege-escalation flaw.
Four official SAP npm packages tied to the Cloud Application Programming Model and Cloud MTA were modified with a malicious preinstall chain. According to reporting from BleepingComputer, Aikido, and Socket, the payload pulls in Bun, runs an obfuscated stealer, and hunts for GitHub tokens, npm tokens, SSH keys, cloud credentials, Kubernetes secrets, and CI/CD environment variables. Worse, it reportedly scrapes runner memory directly and tries to self-propagate using whatever tokens it steals.
cPanel and WHM shipped an emergency update for CVE-2026-41940, a 9.8-severity authentication bypass affecting all but the newest supported builds. Namecheap temporarily blocked access to the exposed management ports before patches were available, which tells you how seriously providers took this. If an attacker lands in cPanel they get websites, mail, databases, and config files; if they land in WHM they can own the whole hosting server and every tenant hanging off it.
The Register reports that the new Copy Fail flaw, CVE-2026-31431, lets an unprivileged local user write four controlled bytes into the page cache of any readable file and turn that into root. The proof-of-concept is tiny, the technique avoids classic filesystem-event tripwires, and the impact spreads beyond laptops: shared-kernel containers, CI runners, and multi-tenant Linux boxes are exactly where this kind of local privilege escalation becomes a real external risk after any initial foothold.
Start with the software supply chain, then close exposed hosting control planes, then patch Linux privilege boundaries where attackers can already execute code. The common failure here is blind trust in infrastructure everybody assumes is already safe.