Executive Summary
The past 24 hours have seen a significant elevation in threat activity across three primary vectors: a critical authentication bypass actively exploited in cPanel & WHM hosting infrastructure (CVE-2026-41940, CVSS 9.8), sustained North Korean supply chain operations via npm (PromptMink / Famous Chollima), and continued high-tempo ransomware activity led by Qilin. The cPanel zero-day represents the most urgent risk given its reach across shared hosting environments globally. Security teams should prioritise patching, hunting for session artefacts, and reviewing npm dependency trees in CI/CD pipelines.
Threat 1: CVE-2026-41940 — cPanel & WHM Authentication Bypass (CRITICAL)
CVSS Score: 9.8 | CISA KEV: Added 2026-04-30 | Federal Patch Deadline: 2026-05-21
A carriage return line feed (CRLF) injection flaw in the login and session-loading flow of WebPros cPanel & WHM allows an unauthenticated remote attacker to bypass authentication and obtain root-level access to WHM. The vulnerability resides in the cpsrvd daemon. By manipulating the whostmgrsession cookie and injecting CRLF sequences into the Basic Authentication password field, an attacker creates a malformed session file on disk that the server subsequently reads — interpreting injected user=root properties and granting full administrative access without any valid credentials.
Active exploitation was confirmed as early as 2026-02-23, making this a true zero-day in the wild for several months before patch release.
Affected Versions: cPanel & WHM all versions after v11.40; WP Squared v136.1.7 and below.
Patch: Apply latest cPanel & WHM update immediately via upcp.
Key TTPs: T1190 Exploit Public-Facing Application, T1068 Exploitation for Privilege Escalation, T1136/T1098.004 Create Account/SSH Authorized Keys, T1003 OS Credential Dumping
IOCs — cPanel CVE-2026-41940
File Artefacts (high confidence):
/var/cpanel/sessions/raw/* containing token_denied=1
Session file containing cp_security_token injected pre-auth
Session file containing user=root without valid auth flow
Log Patterns:
Multi-line values in HTTP Basic Auth password field in WHM logs (CRLF injection)
WHM access log: successful root auth with no prior valid credential entry
Vendor Detection Script:
ioc_checksessions_files.sh — run on all cPanel/WHM servers
CRITICAL or WARNING verdicts indicate compromise
Emergency Remediation (if compromised):
1. Purge /var/cpanel/sessions/ directory
2. Force password reset for root and all WHM users
3. Audit /var/log/wtmp and WHM access logs
4. Hunt for rogue cron entries, planted SSH keys, backdoor scriptsThreat 2: PromptMink / Famous Chollima — DPRK npm Supply Chain Operation
Threat Actor: Famous Chollima (aka Shifty Corsair) — DPRK-linked, Contagious Interview cluster
Active Window: February — May 2026 (ongoing)
North Korean threat actors have evolved their supply chain operations by weaponising AI-assisted code commits to insert malicious npm dependencies into open-source crypto trading projects. The campaign (codenamed PromptMink by ReversingLabs) uses a deliberate two-layer package structure: a legitimate-looking bait package introduces a second, disposable malicious payload package that exfiltrates secrets, crypto wallet credentials, SSH keys, and entire project source trees.
Attack Chain:
- Threat actor submits a pull request (AI co-authored via LLM) to a target npm project
- PR adds
@solana-launchpad/sdkas an ostensibly legitimate dependency @solana-launchpad/sdksilently imports@validate-sdk/v2— the actual malicious payload- On execution,
@validate-sdk/v2exfiltrates.envfiles,.jsonconfigs, crypto wallet seeds, and system metadata - In Rust-based variants (March 2026+): full project source trees exfiltrated; attacker SSH keys planted for persistence
C2 Infrastructure: Primary Vercel exfil endpoint: ipfs-url-validator.vercel.app; Dead-drop resolver: Pastebin with character-level steganography (tracked as StegaBin by Socket.dev)
Key TTPs: T1195.001 Supply Chain Compromise, T1059.007 Node.js, T1098.004 SSH Authorized Keys, T1555 Credentials from Password Stores, T1041 Exfiltration over C2, T1102 Web Service C2
IOCs — PromptMink / Famous Chollima
Malicious npm Packages:
@validate-sdk/v2 (malicious payload)
@solana-launchpad/sdk (bait/dropper)
openpaw-graveyard (compromised project)
C2 Infrastructure:
ipfs-url-validator.vercel.app (Vercel exfil endpoint)
Pastebin.com (StegaBin dead-drop C2 resolver)
File Hash:
da1775d0fbe99fbc35b6f0b4a3a3cb84da3ca1b2c1bbac0842317f6f804e30a4
(shared malicious file across 26 StegaBin packages)
Behaviours:
.env and .json files accessed by Node process unexpectedly
Unexpected entries in ~/.ssh/authorized_keys added by Node process
Vercel-hosted subdomains accessed by non-browser processesThreat 3: CVE-2026-5281 — Google Chrome WebGPU Use-After-Free (Zero-Day)
CVSS: High (Use-After-Free, CWE-416) | Status: Patched; CISA KEV added 2026-04-01; FCEB deadline 2026-04-15
A use-after-free vulnerability in Dawn — Chromium's WebGPU abstraction layer — allows an attacker who has already compromised the browser renderer process to achieve sandbox escape and execute arbitrary code with elevated privileges. Exploitation requires chaining with a renderer compromise via malicious JavaScript on an attacker-controlled page.
Affected Versions: Chrome below 146.0.7680.178 (Windows/macOS) or 146.0.7680.177 (Linux). All Chromium-based browsers using the vulnerable Dawn component.
Key TTPs: T1189 Drive-by Compromise, T1203 Exploitation for Client Execution, T1068 Privilege Escalation, T1055 Process Injection (via sandbox escape)
Threat 4: Ransomware Activity — Qilin Leads 24-Hour Surge
Qilin ransomware claimed 11 victims in the past 24-hour window, making it the most prolific actor. Akira, CoinbaseCartel, and The_Gentleman each attributed 4 victims. Confirmed new victim: Jayeff Construction (posted 2026-05-01). Threat actors are increasingly abandoning encryption in favour of data-theft-only extortion, reducing operational complexity while maintaining leverage. The United States bears approximately 50% of victim load.
IOCs — Qilin Ransomware
Behaviours:
vssadmin delete shadows /all /quiet (pre-encryption VSS deletion)
SMB lateral movement fan-out (>5 unique targets in 5 min)
Large outbound transfer (>100MB) to public IP before encryption
File Indicators:
.qilin extension on encrypted files
wmic.exe and powershell.exe rapid invocation from unusual parent
Ransom note keys under HKLM\SOFTWARE\Threat 5: CVE-2026-42208 — LiteLLM SQL Injection (Critical)
CVSS: 9.3 | Status: Active exploitation
An unauthenticated SQL injection in the LiteLLM open-source LLM proxy gateway allows attackers to craft malicious Authorization headers that modify the underlying proxy database, exposing sensitive model configurations, API keys, and user data. Threat actors are targeting AI infrastructure gateways as organisations rapidly deploy LLM tooling without hardening.
KQL Hunting Queries
3.1 CVE-2026-41940 — cPanel CRLF Injection Hunting
// Hunt: CRLF injection attempts against cPanel/WHM login endpoints
CommonSecurityLog
| where TimeGenerated > ago(24h)
| where DeviceProduct has_any ("Apache", "nginx", "cpsrvd")
| where RequestURL has_any ("/login/", "/cgi-sys/", "/whostmgr/", "cpaneld")
| where RequestContext has_any ("%0d%0a", "%0D%0A", "\\r\\n", "token_denied", "cp_security_token")
or AdditionalExtensions has_any ("CRLF", "token_denied=1")
| project TimeGenerated, SourceIP, DestinationIP, RequestURL, RequestContext, AdditionalExtensions
| order by TimeGenerated desc// Hunt: Root WHM sessions without matching valid credential entry
WHMAccessLogs_CL
| where TimeGenerated > ago(24h)
| where RawData has "user=root"
| where RawData !has "password_ok=1"
| where RawData has_any ("token_denied=1", "cp_security_token")
| project TimeGenerated, RawData
| order by TimeGenerated desc3.2 PromptMink / Famous Chollima npm Supply Chain Hunting
// Hunt: Execution of known malicious npm packages
DeviceProcessEvents
| where TimeGenerated > ago(24h)
| where FileName in~ ("node.exe", "node")
| where ProcessCommandLine has_any (
"@validate-sdk/v2",
"@solana-launchpad/sdk",
"openpaw-graveyard",
"validate-sdk"
)
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, ParentProcessName
| order by TimeGenerated desc// Hunt: Network connections to known PromptMink C2 infrastructure
DeviceNetworkEvents
| where TimeGenerated > ago(24h)
| where RemoteUrl has_any (
"ipfs-url-validator.vercel.app",
"pastebin.com"
)
| where InitiatingProcessFileName in~ ("node.exe", "node", "python.exe", "python3")
| project TimeGenerated, DeviceName, RemoteUrl, RemoteIP, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by TimeGenerated desc// Hunt: Exfiltration of .env and .json files by Node processes
DeviceFileEvents
| where TimeGenerated > ago(24h)
| where InitiatingProcessFileName in~ ("node.exe", "node")
| where FileName endswith ".env" or FileName endswith ".json"
| where ActionType in ("FileRead", "FileAccessDenied")
| where FolderPath !has "node_modules"
| project TimeGenerated, DeviceName, FolderPath, FileName, InitiatingProcessCommandLine, AccountName
| order by TimeGenerated desc// Hunt: SSH authorized_keys modification by Node/npm processes
DeviceFileEvents
| where TimeGenerated > ago(24h)
| where FileName == "authorized_keys"
| where FolderPath has ".ssh"
| where InitiatingProcessFileName in~ ("node.exe", "node", "npm", "npm.cmd")
| project TimeGenerated, DeviceName, FolderPath, ActionType, InitiatingProcessFileName, InitiatingProcessCommandLine, AccountName
| order by TimeGenerated desc// Hunt: Known PromptMink StegaBin file hash
DeviceFileEvents
| where TimeGenerated > ago(24h)
| where SHA256 == "da1775d0fbe99fbc35b6f0b4a3a3cb84da3ca1b2c1bbac0842317f6f804e30a4"
| project TimeGenerated, DeviceName, FileName, FolderPath, ActionType, SHA256, InitiatingProcessCommandLine
| order by TimeGenerated desc3.3 Chrome CVE-2026-5281 — WebGPU Zero-Day Hunting
// Hunt: Chrome sandbox escape via non-standard renderer child process
DeviceProcessEvents
| where TimeGenerated > ago(24h)
| where ParentProcessName =~ "chrome.exe"
| where ProcessCommandLine has "--type=renderer"
| where FileName !in~ ("chrome.exe", "crashpad_handler.exe", "elevation_service.exe")
| project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine, ParentProcessCommandLine
| order by TimeGenerated desc// Hunt: Unpatched Chrome versions (device inventory)
DeviceTvmSoftwareInventory
| where TimeGenerated > ago(24h)
| where SoftwareName =~ "chrome"
| where SoftwareVersion < "146.0.7680.177"
| project DeviceName, SoftwareName, SoftwareVersion, OSPlatform
| order by SoftwareVersion asc// Hunt: High-frequency Chrome renderer crashes (exploitation probing)
DeviceEvents
| where TimeGenerated > ago(24h)
| where ActionType == "ProcessCreated"
| where FileName =~ "chrome.exe"
| where ProcessCommandLine has "--type=renderer"
| summarize CrashCount = count() by DeviceName, bin(TimeGenerated, 5m)
| where CrashCount > 10
| order by CrashCount desc3.4 Qilin Ransomware Hunting
// Hunt: VSS deletion — pre-encryption staging
DeviceProcessEvents
| where TimeGenerated > ago(24h)
| where FileName in~ ("vssadmin.exe", "wmic.exe", "powershell.exe", "cmd.exe")
| where ProcessCommandLine has_any (
"delete shadows",
"shadowcopy delete",
"resize shadowstorage",
"bcdedit /set {default} recoveryenabled No",
"wbadmin delete catalog"
)
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, ParentProcessName
| order by TimeGenerated desc// Hunt: Qilin lateral movement via SMB admin shares
DeviceNetworkEvents
| where TimeGenerated > ago(24h)
| where RemotePort == 445
| where InitiatingProcessFileName in~ ("powershell.exe", "cmd.exe", "wmic.exe", "net.exe", "psexec.exe", "psexec64.exe")
| summarize TargetCount = dcount(RemoteIP) by DeviceName, InitiatingProcessFileName, bin(TimeGenerated, 5m)
| where TargetCount > 5
| order by TargetCount desc// Hunt: Large outbound transfers preceding encryption (data-theft-first TTP)
DeviceNetworkEvents
| where TimeGenerated > ago(24h)
| where SentBytes > 104857600
| where RemoteIPType == "Public"
| where InitiatingProcessFileName !in~ ("chrome.exe", "firefox.exe", "onedrive.exe", "dropbox.exe", "teams.exe")
| project TimeGenerated, DeviceName, AccountName, RemoteIP, RemoteUrl, SentBytes, InitiatingProcessFileName
| order by SentBytes desc// Hunt: .qilin file extension creation (post-encryption confirmation)
DeviceFileEvents
| where TimeGenerated > ago(24h)
| where FileName endswith ".qilin"
| project TimeGenerated, DeviceName, FolderPath, FileName, ActionType, InitiatingProcessFileName
| order by TimeGenerated desc3.5 LiteLLM CVE-2026-42208 — SQL Injection Hunting
// Hunt: SQL injection patterns in LiteLLM proxy Authorization headers
CommonSecurityLog
| where TimeGenerated > ago(24h)
| where DestinationPort in (4000, 8000, 8080, 443)
| where RequestURL has_any ("/chat/completions", "/completions", "/v1/")
| where AdditionalExtensions has_any (
"' OR ",
"' AND ",
"UNION SELECT",
"'; DROP",
"-- ",
"/*",
"xp_cmdshell",
"SLEEP(",
"WAITFOR DELAY"
)
| project TimeGenerated, SourceIP, DestinationIP, RequestURL, AdditionalExtensions
| order by TimeGenerated descDetection Rules (Sentinel Analytics Rules)
Rule 4.1 — cPanel Authentication Bypass Attempt (CVE-2026-41940)
Severity: Critical | MITRE: T1190, T1068 | Frequency: Every 5 minutes | Fidelity: HIGH
// Rule: CRIT — cPanel WHM CRLF Authentication Bypass Attempt (CVE-2026-41940)
CommonSecurityLog
| where TimeGenerated > ago(1h)
| where RequestURL has_any ("/login/", "/cgi-sys/", "/whostmgr/")
| where RequestContext has_any ("%0d%0a", "%0D%0A", "token_denied", "cp_security_token")
or AdditionalExtensions has "token_denied=1"
| extend Severity = "Critical"
| extend MITRE_Technique = "T1190 — Exploit Public-Facing Application"
| project TimeGenerated, SourceIP, DestinationIP, RequestURL, RequestContext, AdditionalExtensions, Severity, MITRE_Technique
| order by TimeGenerated descRule 4.2 — PromptMink C2 Beacon Detection (Famous Chollima)
Severity: High | MITRE: T1102, T1041, T1195.001 | Frequency: Every 15 minutes | Fidelity: HIGH
// Rule: HIGH — PromptMink C2 Beaconing to Known DPRK Infrastructure
DeviceNetworkEvents
| where TimeGenerated > ago(1h)
| where RemoteUrl has "ipfs-url-validator.vercel.app"
| where InitiatingProcessFileName in~ ("node.exe", "node", "python.exe", "python3")
| extend Severity = "High"
| extend MITRE_Technique = "T1102 — Web Service C2 | T1041 — Exfiltration over C2"
| extend ThreatActor = "Famous Chollima (DPRK)"
| project TimeGenerated, DeviceName, AccountName, RemoteUrl, RemoteIP, InitiatingProcessFileName, Severity, MITRE_Technique, ThreatActorRule 4.3 — Malicious npm Package Hash Match (StegaBin / PromptMink)
Severity: Critical | MITRE: T1195.001, T1059.007 | Fidelity: VERY HIGH — zero expected false positives
// Rule: CRIT — Known Malicious npm File Hash Detected (PromptMink StegaBin)
DeviceFileEvents
| where TimeGenerated > ago(24h)
| where SHA256 == "da1775d0fbe99fbc35b6f0b4a3a3cb84da3ca1b2c1bbac0842317f6f804e30a4"
| extend Severity = "Critical"
| extend ThreatFamily = "PromptMink"
| extend ThreatActor = "Famous Chollima (DPRK)"
| extend MITRE_Technique = "T1195.001 — Supply Chain Compromise"
| project TimeGenerated, DeviceName, AccountName, FileName, FolderPath, ActionType, SHA256, Severity, ThreatFamily, ThreatActor, MITRE_TechniqueRule 4.4 — Chrome Sandbox Escape Post-WebGPU Exploitation (CVE-2026-5281)
Severity: High | MITRE: T1203, T1068, T1055 | Frequency: Every 5 minutes | Fidelity: HIGH
// Rule: HIGH — Chrome Renderer Spawning Unexpected Child Process (CVE-2026-5281)
DeviceProcessEvents
| where TimeGenerated > ago(30m)
| where ParentProcessName =~ "chrome.exe"
| where ProcessCommandLine has "--type=renderer"
| where FileName !in~ (
"chrome.exe",
"crashpad_handler.exe",
"elevation_service.exe",
"chrome_crashpad_handler.exe"
)
| extend Severity = "High"
| extend CVE = "CVE-2026-5281"
| extend MITRE_Technique = "T1203 — Exploitation for Client Execution | T1068 — Privilege Escalation"
| project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine, ParentProcessCommandLine, Severity, CVE, MITRE_TechniqueRule 4.5 — Qilin Ransomware Pre-Encryption Indicator Chain
Severity: Critical | MITRE: T1490, T1021.002, T1486 | Fidelity: VERY HIGH
// Rule: CRIT — Ransomware Pre-Encryption Activity Chain (VSS + SMB Lateral Movement)
let VSSEvents = DeviceProcessEvents
| where TimeGenerated > ago(1h)
| where ProcessCommandLine has_any ("delete shadows", "shadowcopy delete", "bcdedit /set {default} recoveryenabled")
| project DeviceName, VSSTime = TimeGenerated;
let SMBMovement = DeviceNetworkEvents
| where TimeGenerated > ago(1h)
| where RemotePort == 445
| where InitiatingProcessFileName in~ ("powershell.exe", "cmd.exe", "wmic.exe", "net.exe")
| summarize TargetCount = dcount(RemoteIP) by DeviceName, SMBTime = bin(TimeGenerated, 10m)
| where TargetCount > 3;
VSSEvents
| join kind=inner SMBMovement on DeviceName
| where abs(datetime_diff("minute", VSSTime, SMBTime)) < 30
| extend Severity = "Critical"
| extend ThreatFamily = "Qilin Ransomware"
| extend MITRE_Technique = "T1490 — Inhibit System Recovery | T1021.002 — SMB/Admin Shares | T1486 — Data Encrypted for Impact"
| project VSSTime, SMBTime, DeviceName, TargetCount, Severity, ThreatFamily, MITRE_TechniqueRecommended Actions (Priority Order)
- IMMEDIATE (0-4 hrs): Patch all cPanel/WHM servers via
upcp. Runioc_checksessions_files.shon all instances. Isolate any returning CRITICAL verdicts. - IMMEDIATE (0-4 hrs): Push Chrome update 146.0.7680.178+ (Win/Mac) / 146.0.7680.177+ (Linux) via MDM/GPO to all endpoints.
- SHORT-TERM (4-24 hrs): Audit all CI/CD pipelines and developer machines for
@validate-sdk/v2,@solana-launchpad/sdk, andopenpaw-graveyardin package trees. Blockipfs-url-validator.vercel.appat proxy/DNS. - SHORT-TERM (4-24 hrs): Deploy Sentinel analytics rules 4.1 through 4.5 from Section 4. Validate alert pipelines are firing.
- SHORT-TERM (4-24 hrs): Restrict external access to LiteLLM proxy endpoints. Apply patches for CVE-2026-42208.
- MEDIUM-TERM (24-72 hrs): Run all hunting queries over a 7-day historical window. Brief SOC on Qilin data-theft-first model; update ransomware IR playbooks.
Sources: CISA KEV — CVE-2026-41940 | watchTowr Labs — cPanel Analysis | Help Net Security — cPanel | Rapid7 ETR — CVE-2026-41940 | ReversingLabs — PromptMink | The Hacker News — DPRK npm | Socket.dev — StegaBin | SOCRadar — Chrome CVE-2026-5281 | Help Net Security — Chrome | PurpleOps Ransomware Tracker | CISA Known Exploited Vulnerabilities