← Back to Blog
Security Briefing4 min read2026-04-30

Security Briefing, April 30 2026: SAP npm Supply-Chain Backdoor, cPanel Auth Bypass, and Linux Copy Fail Root Bug

This morning’s theme is simple: if trusted plumbing gets poisoned, attackers do not need exotic tradecraft to win.


Top line: Three stories deserve immediate attention this morning: official SAP npm packages were backdoored to steal developer and CI secrets, cPanel and WHM pushed an emergency fix for a critical authentication bypass, and Linux maintainers are racing to patch the new Copy Fail privilege-escalation flaw.


1. The SAP npm compromise is a straight shot into developer and CI secrets

Four official SAP npm packages tied to the Cloud Application Programming Model and Cloud MTA were modified with a malicious preinstall chain. According to reporting from BleepingComputer, Aikido, and Socket, the payload pulls in Bun, runs an obfuscated stealer, and hunts for GitHub tokens, npm tokens, SSH keys, cloud credentials, Kubernetes secrets, and CI/CD environment variables. Worse, it reportedly scrapes runner memory directly and tries to self-propagate using whatever tokens it steals.


2. cPanel’s emergency auth-bypass patch is not optional maintenance

cPanel and WHM shipped an emergency update for CVE-2026-41940, a 9.8-severity authentication bypass affecting all but the newest supported builds. Namecheap temporarily blocked access to the exposed management ports before patches were available, which tells you how seriously providers took this. If an attacker lands in cPanel they get websites, mail, databases, and config files; if they land in WHM they can own the whole hosting server and every tenant hanging off it.


3. Copy Fail gives Linux attackers a brutally simple post-compromise root path

The Register reports that the new Copy Fail flaw, CVE-2026-31431, lets an unprivileged local user write four controlled bytes into the page cache of any readable file and turn that into root. The proof-of-concept is tiny, the technique avoids classic filesystem-event tripwires, and the impact spreads beyond laptops: shared-kernel containers, CI runners, and multi-tenant Linux boxes are exactly where this kind of local privilege escalation becomes a real external risk after any initial foothold.

What to do today

Start with the software supply chain, then close exposed hosting control planes, then patch Linux privilege boundaries where attackers can already execute code. The common failure here is blind trust in infrastructure everybody assumes is already safe.

Sources

  • BleepingComputer on compromised official SAP npm packages and follow-up research from Aikido and Socket.
  • BleepingComputer on cPanel/WHM CVE-2026-41940 and the emergency update guidance.
  • The Register on CVE-2026-31431 “Copy Fail,” with distro patch references from Debian, Ubuntu, SUSE, and Red Hat.