Executive Summary

The 48-hour coverage window ending 2026-05-05 23:59 UTC is characterised by simultaneous exploitation of a Linux kernel local privilege escalation flaw with a public 732-byte PoC, broad opportunistic abuse of a critical cPanel/WHM authentication bypass impacting approximately 1.5 million exposed servers, continued exploitation of three Windows Defender zero-days, and an escalating AI/ML-focused supply chain campaign attributed with moderate confidence to Team PCP (assessed as LAPSUS$-affiliated). Ransomware operators (Lynx) continue to target healthcare with double-extortion. The combination of memory-safe-bypass primitives, authentication-free web exploits, and AI tooling credential theft represents an exceptionally wide active-exploitation surface.

Priority actions:

Threat Level: CRITICAL

Threat Landscape Overview

#Threat ClusterSeverityTarget SectorsAttributionStatus
1CVE-2026-31431 "Copy Fail" Linux LPECRITICALAll Linux environments — cloud, container, CI/CD, telcon/a (generic exploitation)Active — CISA KEV • Deadline May 15
2CVE-2026-41940 cPanel/WHM Auth BypassCRITICALHosting providers, MSPs, government (Philippines, Laos), defenceUnknown APT (opportunistic + targeted)Active — 1.5M exposed servers
3BlueHammer / RedSun / UnDefend (Windows Defender zero-days)HIGHAll Windows enterprise environments"Nightmare-Eclipse" toolsetCVE-2026-33825 patched; RedSun & UnDefend unpatched • KEV deadline May 7
4Team PCP Supply Chain (PyTorch Lightning / LiteLLM)HIGHAI/ML developers, LLM operators, cloud-native dev teamsTeam PCP (LAPSUS$-affiliated, moderate confidence)Active — PyPI packages quarantined; CVE-2026-42208 ongoing
5Lynx Ransomware Healthcare CampaignHIGHHealthcare, manufacturing, financial servicesLynx (INC Ransomware rebrand per Unit 42)Active double-extortion
6CVE-2026-32202 Windows Shell NTLM Hash TheftMEDIUMWindows enterprise, Active DirectoryAPT28-adjacent (moderate confidence)Actively exploited • April 14 patch available
7Iranian-Affiliated ICS/OT PLC CampaignHIGHUS critical infrastructure — water, energy, manufacturingIran-affiliated (CISA/FBI joint advisory)Ongoing since March 2026

Campaign Deep-Dives

1. CVE-2026-31431 "Copy Fail" — Linux Kernel Local Privilege Escalation

Actor: No confirmed attribution; exploitation observed from multiple unlinked clusters across cloud and container environments.
CVE: CVE-2026-31431 • CVSS 7.8
CISA KEV: Yes (added 2026-05-01) • Federal deadline: 2026-05-15

CVE-2026-31431, branded "Copy Fail" by Theori researchers, is a logic bug in the Linux kernel's authencesn cryptographic template within the algif_aead module. It allows any unprivileged local user to gain root in seconds via a deterministic, race-free write into the page cache of any readable setuid binary. Unlike Dirty Pipe (CVE-2022-0847), which required timing and was distribution-specific, Copy Fail is a straight-line logic flaw reproducible on every affected kernel without races or crash-prone windows.

The flaw traces to the kernel incorrectly setting req->src = req->dst and chaining tag pages from the source scatterlist into the output scatterlist via sg_chain(). When userspace feeds the socket via splice(), those tag pages reference the page cache of the spliced file. The authencesn(hmac(sha256),cbc(aes)) template then writes four bytes as Extended Sequence Number scratch space, but because the output scatterlist extends into chained page cache pages, those bytes land inside the spliced file's cached data in memory — bypassing all file permission checks.

An attacker can overwrite four bytes of the in-memory representation of a setuid binary (e.g., /usr/bin/sudo), injecting a shellcode stub or modifying the ELF header, then execute it to gain root. The modification is in-memory only, making it forensically stealthy. In shared cloud and container environments this allows container breakout and lateral movement across tenants.

Affected distributions: Ubuntu 24.04 LTS, RHEL 10.1, Amazon Linux 2023, Debian, Fedora, Arch Linux, SUSE 16, and all kernels shipped since 2017.

TTPs: T1068 (Exploitation for Privilege Escalation), T1055 (Process Injection), T1611 (Escape to Host), T1070.004 (Indicator Removal).

Immediate mitigations:

  1. Add install algif_aead /bin/false to /etc/modprobe.d/disable-algif.conf
  2. Run sudo modprobe -r algif_aead to unload the module
  3. Patch to kernel >= 6.18.22, 6.19.12, or 7.0+

2. CVE-2026-41940 — cPanel & WHM Pre-Authentication RCE

CVE: CVE-2026-41940 • CVSS 9.8
Affected: cPanel & WHM all versions after 11.40, WP Squared
First exploited: ~2026-02-23 (zero-day period) • Patch released 2026-04-28
Scale: ~1.5 million internet-exposed instances (Shodan telemetry)

CVE-2026-41940 is a critical CVSS 9.8 authentication bypass in cPanel and WebHost Manager (WHM). The flaw stems from a Carriage Return Line Feed (CRLF) injection in the session file creation path of cpsrvd, the cPanel service daemon.

Before authentication, cpsrvd writes a new session file to disk. An attacker manipulates the whostmgrsession cookie by omitting an expected segment, avoiding encryption. By injecting raw \r\n characters via a malicious Authorization HTTP header, the session file is written without sanitising the injected content, allowing the attacker to insert user=root directly into their session file. From that point, full WHM API access yields root RCE through legitimate features WHM exposes, requiring only a handful of HTTP requests and zero credentials.

A targeted campaign identified on 2026-05-02 was traced to staging server IP 95.111.250.175, which exposed operations targeting *.mil.ph, *.ph (Philippines military/government) and *.gov.la (Laos government) domains. A separate custom exploit chain was built for an Indonesian defence-sector training portal.

TTPs: T1190 (Exploit Public-Facing Application), T1078 (Valid Accounts — session impersonation), T1059.004 (Unix Shell), T1005 (Data from Local System), T1041 (Exfiltration Over C2 Channel).

Patched builds: 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, 11.136.0.5. If immediate patching is not possible, restrict WHM port 2087 to administrative IP ranges only.

3. BlueHammer / RedSun / UnDefend — Windows Defender Zero-Day Cluster

Toolset: "Nightmare-Eclipse" (Huntress Labs tracking name)
CVE: CVE-2026-33825 (BlueHammer) • CVSS 7.8 • CISA KEV deadline May 7, 2026
Unpatched: RedSun (second Defender LPE), UnDefend (Defender DoS)

Three vulnerabilities affecting Windows Defender were publicly disclosed as zero-days by researcher "Chaotic Eclipse" on April 7, 2026. CVE-2026-33825 (BlueHammer) is a TOCTOU race condition in Defender's threat remediation engine that allows an unprivileged user to overwrite arbitrary files and achieve SYSTEM-level code execution. Microsoft patched this on April 14; CISA added it to KEV with a federal deadline of May 7, 2026.

RedSun is a second, distinct LPE flaw in Defender that remains unpatched. UnDefend is a denial-of-service primitive that blocks Defender definition updates, effectively blinding endpoint protection before delivering a payload. The Huntress Labs "Nightmare-Eclipse" intrusion report documented real-world chaining: attackers used BlueHammer to escalate, then leveraged UnDefend to suppress Defender, then dropped second-stage implants.

Observed staging paths: C:\Users\*\Downloads\z.exe (BlueHammer renamed), C:\Users\*\Pictures\FunnyApp.exe (RedSun), C:\Users\*\Downloads\RedSun.exe.

TTPs: T1068 (Exploitation for Privilege Escalation), T1562.001 (Impair Defenses), T1574.010 (Hijack Execution Flow), T1036.005 (Masquerading), T1003.001 (OS Credential Dumping).

4. Team PCP Supply Chain Campaign — PyTorch Lightning / LiteLLM

Actor: Team PCP • assessed LAPSUS$-affiliated (moderate confidence)
Campaign active: February 2026 — present
Malware: Mini Shai-Hulud worm (PyPI); pgserve worm (npm)

Team PCP is conducting a sustained, multi-ecosystem supply chain campaign targeting AI/ML developer tooling. Two active threads are observable in this window:

Thread 1 — PyTorch Lightning: Malicious versions 2.6.2 and 2.6.3 of the PyPI lightning package were published on 2026-04-30 and quarantined 42 minutes later. The packages included a hidden _runtime/ directory containing obfuscated JavaScript that executes automatically upon import lightning, harvesting API keys, cloud credentials, SSH keys, environment variables, and CI/CD tokens before attempting to propagate to GitHub repositories using any discovered tokens. Artefacts written to victim repos include .claude/settings.json, .vscode/tasks.json, and .github/workflows/format-check.yml.

Thread 2 — LiteLLM CVE-2026-42208: A pre-authentication SQL injection (CVSS 9.3) in LiteLLM proxy versions prior to 1.83.7-stable was publicly disclosed on 2026-04-19 and saw active exploitation beginning 2026-04-26 (36 hours post-disclosure). Attackers target litellm_credentials.credential_values and litellm_config tables, which hold OpenAI organisation keys, Anthropic console keys with workspace admin rights, and AWS Bedrock IAM credentials. The blast radius is closer to a cloud account compromise than a typical SQLi.

TTPs: T1195.001 (Supply Chain Compromise), T1552.001 (Credentials in Files), T1552.004 (Private Keys), T1059.007 (JavaScript), T1071.001 (Web Protocols C2).

5. Lynx Ransomware — Healthcare Sector Double Extortion

Actor: Lynx ransomware group • assessed as INC Ransomware rebrand (Palo Alto Unit 42)
Active campaign: Ongoing into May 2026 • 40% YoY increase in attacks

Lynx ransomware operators continue an active double-extortion campaign against healthcare sector organisations. A confirmed attack on a U.S. regional hospital was reported during the current coverage window, with EHR and scheduling systems encrypted and patient data exfiltrated. The group leverages standard initial access vectors including RDP brute force, VPN credential stuffing using previously-leaked credentials, and phishing. Post-access activity: RCLONE for data staging/exfiltration, then ransomware deployment with VSS deletion. The group's leak site lists victims within days of encryption to maximise payment pressure.

TTPs: T1078 (Valid Accounts — RDP/VPN), T1566 (Phishing), T1021.001 (RDP), T1486 (Data Encrypted for Impact), T1048 (Exfiltration — RCLONE), T1490 (Inhibit System Recovery).

6. Iranian-Affiliated ICS/OT Campaign — Rockwell Automation PLCs

Actor: Iran-affiliated cyber actors (CISA/FBI/EPA joint advisory AA26-097A)
Campaign active: March 2026 — present
Targets: Rockwell Automation/Allen-Bradley PLCs • Water, Energy, Manufacturing

Iran-affiliated threat actors are conducting ongoing exploitation of internet-connected operational technology (OT) devices across U.S. critical infrastructure. The campaign specifically targets Rockwell Automation Allen-Bradley PLCs using the vendor's own engineering software (Studio 5000 Logix Designer) to extract PLC programming logic files (.L5X, .ACD), modify process-control parameters, and manipulate HMI/SCADA display data. This represents a shift from hacktivist-style defacement to sustained operational disruption — modifying physical process parameters such as pump speeds, chemical dosing setpoints, and valve positions. No CVE exploitation is required; access is gained through internet-exposed HMIs retaining default credentials.

TTPs (ICS ATT&CK): T0866 (Exploitation of Remote Services), T0883 (Internet Accessible Device), T0831 (Manipulation of Control), T0832 (Manipulation of View), T0845 (Program Upload), T0821 (Modify Controller Tasking).

IOC Pack

IOCs sourced from public reporting. Recommended TTL: 7–14 days (retire by 2026-05-19). Validate before blocking.

Network IOCs

TypeValueCampaignNotes
IPv495.111.250.175CVE-2026-41940 / SEA Government TargetingAttacker staging server; targeting *.mil.ph, *.ph, *.gov.la

Package / Dependency IOCs

Package ManagerPackageMalicious VersionsSafe Version
PyPIlightning (PyTorch Lightning)2.6.2, 2.6.32.6.1 or >= 2.6.4
PyPIlitellmAll < 1.83.7-stable>= 1.83.7-stable
npmpgserveAll compromised versionsSee npm advisory
PyPIintercom-client7.0.4>= 7.0.5

CVEs — Actively Exploited in the Wild

CVECVSSProductExploited ByCISA KEVPatch Deadline
CVE-2026-314317.8Linux Kernel (all distros, kernels since 2017)Multiple actorsYes2026-05-15 (federal)
CVE-2026-419409.8cPanel & WHM all versions > 11.40Multiple actors + targeted APTYesImmediate
CVE-2026-338257.8Microsoft Defender (Win 10/11, Server 2019/2022/2025)Nightmare-Eclipse toolsetYes2026-05-07 (federal)
CVE-2026-422089.3LiteLLM proxy < 1.83.7-stableTeam PCP / unknown actorsNoImmediate
CVE-2026-322024.3Windows Shell (all supported Windows)APT28-adjacentYesApply April 14 patch
CVE-2026-5281CriticalChrome/Chromium < 146.0.7680.178Multiple actors in-the-wildYesVerify patched (deadline passed)

Behavioural IOCs / Suspicious Artefacts

TypeValueCampaignNotes
File pathC:\Users\*\Downloads\z.exeBlueHammer/RedSunNightmare-Eclipse BlueHammer staging
File pathC:\Users\*\Pictures\FunnyApp.exeRedSunNightmare-Eclipse RedSun staging
File pathC:\Users\*\Downloads\RedSun.exeRedSunDirect PoC binary
ProcessUnexpected child of MsMpEng.exe with SYSTEM tokenBlueHammer CVE-2026-33825TOCTOU race-produced SYSTEM process
File path_runtime/router_runtime.jsMini Shai-Hulud (PyPI)Hidden dir in lightning package; auto-exec on import
File path.claude/settings.json modified by non-Claude processMini Shai-HuludWorm propagation artefact
File path.github/workflows/format-check.ymlMini Shai-HuludCI/CD persistence workflow planted by worm
Registry keyHKLM\SYSTEM\CurrentControlSet\Services\WinDefend Start=4UnDefendDefender service disabled
User-agentcPanel-WHM-Scanner/1.0CVE-2026-41940 scanningObserved in web server access logs during mass scan phase
DNS query169.254.169.254 via shell child of user processCVE-2026-31431 post-exploitationCloud metadata enumeration after root escalation
Outbound portTCP 44818Iranian ICS/OT campaignEtherNet/IP — scanning for exposed Rockwell PLCs
File extension.L5X, .ACDIranian ICS/OT campaignRockwell Automation PLC project files being exfiltrated
UNC pattern\\ATTACKER_IP\share\* resolved by explorer.exeCVE-2026-32202LNK-triggered NTLM coercion

KQL Hunting Queries

Proactive threat hunting queries for Microsoft Defender for Endpoint / Microsoft Sentinel. Broader in scope and intended for analyst-driven investigation.

HUNT-01: Linux "Copy Fail" Post-Exploitation — Cloud Metadata Enumeration

// HUNT-01: Linux kernel CVE-2026-31431 post-exploitation cloud metadata enumeration
// Covers: CVE-2026-31431 post-root cloud recon | MITRE: T1552.005, T1068
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemoteUrl contains "169.254.169.254"
    or RemoteUrl contains "metadata.google.internal"
    or RemoteUrl contains "169.254.169.254/latest/meta-data"
| where InitiatingProcessParentFileName in ("python3", "python", "bash", "sh", "dash")
| project Timestamp, DeviceName, InitiatingProcessAccountName,
    InitiatingProcessFileName, InitiatingProcessParentFileName,
    RemoteUrl, RemoteIP, RemotePort
| order by Timestamp desc

HUNT-02: BlueHammer / RedSun — Suspicious Binaries in User-Writable Paths Escalating to SYSTEM

// HUNT-02: BlueHammer / RedSun — user-writable path binaries achieving SYSTEM
// Covers: CVE-2026-33825 BlueHammer, RedSun | MITRE: T1068, T1574.010
DeviceProcessEvents
| where Timestamp > ago(24h)
| where AccountName == "SYSTEM"
    and InitiatingProcessAccountName != "SYSTEM"
    and InitiatingProcessFolderPath has_any (
        @"C:\Users\", @"C:\ProgramData\", @"C:\Temp\", @"C:\Windows\Temp\"
    )
| where FileName !in~ ("MsMpEng.exe", "svchost.exe", "services.exe", "lsass.exe",
    "winlogon.exe", "csrss.exe", "wininit.exe", "smss.exe")
| project Timestamp, DeviceName, InitiatingProcessAccountName,
    InitiatingProcessFolderPath, InitiatingProcessFileName,
    FileName, FolderPath, ProcessCommandLine, AccountName
| order by Timestamp desc

HUNT-03: UnDefend — Defender Service Disabled or Definition Update Suppressed

// HUNT-03: UnDefend DoS — Defender service or update pipeline disabled
// Covers: UnDefend, Impair Defenses | MITRE: T1562.001
DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has "WinDefend"
    or RegistryKey has "SecurityHealthService"
| where RegistryValueName == "Start" and RegistryValueData == "4"
| project Timestamp, DeviceName, InitiatingProcessAccountName,
    InitiatingProcessFileName, RegistryKey, RegistryValueName, RegistryValueData
| order by Timestamp desc

HUNT-04: Mini Shai-Hulud — Supply Chain Worm Artefacts on Disk

// HUNT-04: Team PCP PyPI supply chain — router_runtime.js and worm artefacts
// Covers: Mini Shai-Hulud supply chain | MITRE: T1195.001, T1059.007
DeviceFileEvents
| where Timestamp > ago(7d)
| where FileName in~ ("router_runtime.js", "format-check.yml")
    or FolderPath has "_runtime"
    or FolderPath has ".claude"
| where InitiatingProcessFileName in~ ("python.exe", "python3", "pip", "pip3", "node", "npm")
| project Timestamp, DeviceName, InitiatingProcessAccountName,
    InitiatingProcessFileName, FileName, FolderPath, SHA256
| order by Timestamp desc

HUNT-05: LiteLLM CVE-2026-42208 — Anomalous Outbound from LLM Proxy

// HUNT-05: LiteLLM CVE-2026-42208 SQLi — anomalous POST to LLM proxy API routes
// Covers: CVE-2026-42208 Team PCP exploitation | MITRE: T1190, T1552.001
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemotePort in (4000, 8080, 8000, 443)
    and LocalPort > 1024
| where InitiatingProcessFileName in~ ("litellm", "python3", "python", "uvicorn", "gunicorn")
| where RemoteIPType == "Public"
| project Timestamp, DeviceName, LocalIP, LocalPort,
    RemoteIP, RemotePort, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by Timestamp desc

HUNT-06: CVE-2026-41940 — Anomalous cpsrvd Child Processes

// HUNT-06: CVE-2026-41940 cPanel session poisoning — cpsrvd spawning shells
// Covers: CVE-2026-41940 cPanel exploitation | MITRE: T1190, T1059.004
DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName =~ "cpsrvd"
    or InitiatingProcessFileName =~ "whostmgrd"
| where FileName in~ ("bash", "sh", "perl", "python", "python3", "curl", "wget", "nc", "ncat")
| project Timestamp, DeviceName, InitiatingProcessFileName,
    FileName, ProcessCommandLine, AccountName, FolderPath
| order by Timestamp desc

HUNT-07: CVE-2026-32202 — Outbound SMB to Public IPs from Explorer

// HUNT-07: CVE-2026-32202 Windows Shell NTLM coercion — outbound SMB to non-corporate IPs
// Covers: CVE-2026-32202 NTLM hash theft | MITRE: T1187
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemotePort == 445
    and RemoteIPType == "Public"
| where InitiatingProcessFileName =~ "explorer.exe"
    or InitiatingProcessFileName =~ "lsass.exe"
| project Timestamp, DeviceName, InitiatingProcessAccountName,
    InitiatingProcessFileName, RemoteIP, RemotePort, LocalIP
| order by Timestamp desc

HUNT-08: Iranian ICS/OT — EtherNet/IP Scanning and PLC Project File Access

// HUNT-08: Iranian ICS/OT campaign — EtherNet/IP scanning and PLC project file access
// Covers: Iranian-affiliated ICS campaign | MITRE: T0866, T0845
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemotePort in (44818, 2222, 9600)
    or (RemotePort == 80 and RemoteIPType == "Public"
        and InitiatingProcessFileName =~ "Logix Designer.exe")
| project Timestamp, DeviceName, InitiatingProcessFileName,
    RemoteIP, RemotePort, RemoteUrl, InitiatingProcessCommandLine
| order by Timestamp desc

KQL Detection Rules (High Fidelity)

Tuned for direct alerting with low false-positive rates. Suitable for deployment to a SIEM analytic rule set.

DET-01: Copy Fail Post-Exploitation — Unprivileged Process Spawning Root Shell

Rationale: CVE-2026-31431 PoC is a Python script that splices a setuid binary into an AF_ALG socket and then re-executes it. Legitimate Python or bash processes virtually never spawn root shells directly from unprivileged user sessions.

// DET-01: Copy Fail post-exploitation — python/bash spawning root shell
// MITRE: T1068 — Exploitation for Privilege Escalation | Severity: CRITICAL
DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ ("python3", "python", "bash", "sh")
    and InitiatingProcessAccountName != "root"
    and AccountName == "root"
    and FileName in~ ("bash", "sh", "id", "whoami", "chmod", "chown", "cp", "install")
| extend AlertTitle = "CRITICAL: Unprivileged process spawned root shell — possible Copy Fail (CVE-2026-31431)"
| extend Severity = "Critical"
| extend MITRETechnique = "T1068 — Exploitation for Privilege Escalation"
| extend RecommendedAction = "Isolate host immediately; check /proc/[pid]/fd for AF_ALG sockets; verify kernel patch level; review /var/log/auth.log for unexpected sudo/su events; collect memory image if possible"
| project Timestamp, DeviceName, InitiatingProcessAccountName,
    InitiatingProcessFileName, FileName, ProcessCommandLine,
    AccountName, AlertTitle, Severity, MITRETechnique, RecommendedAction
| order by Timestamp desc

DET-02: BlueHammer CVE-2026-33825 — SYSTEM Process from User-Writable Path

Rationale: BlueHammer exploits a TOCTOU race in Defender's remediation engine to achieve SYSTEM-level execution from a binary in a user-writable path. Legitimate Defender remediation actions do not spawn interactive shells or LOLBin processes.

// DET-02: BlueHammer CVE-2026-33825 — SYSTEM process with non-SYSTEM parent from user-writable path
// MITRE: T1068 — Exploitation for Privilege Escalation | Severity: HIGH
DeviceProcessEvents
| where Timestamp > ago(24h)
| where AccountName == "SYSTEM"
    and InitiatingProcessFolderPath has_any (
        @"C:\Users\", @"C:\Temp\", @"C:\ProgramData\"
    )
    and FileName in~ ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe",
        "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe",
        "bash.exe", "wsl.exe")
| extend AlertTitle = "HIGH: SYSTEM process from user-writable path — possible BlueHammer (CVE-2026-33825)"
| extend Severity = "High"
| extend MITRETechnique = "T1068 — Exploitation for Privilege Escalation"
| extend RecommendedAction = "Apply KB5055593 immediately; isolate host; check for LSASS access events within 60s of alert; hunt for RedSun.exe/FunnyApp.exe in user Downloads and Pictures directories"
| project Timestamp, DeviceName, InitiatingProcessAccountName,
    InitiatingProcessFolderPath, InitiatingProcessFileName,
    FileName, ProcessCommandLine, AccountName,
    AlertTitle, Severity, MITRETechnique, RecommendedAction
| order by Timestamp desc

DET-03: Mini Shai-Hulud — Lightning Package Auto-Executing JS Payload

Rationale: Legitimate PyTorch Lightning import does not spawn Node.js child processes or create files in _runtime/ subdirectories. No known false positives for this specific artefact combination.

// DET-03: Mini Shai-Hulud — lightning package auto-executing JS payload at import time
// MITRE: T1195.001 — Supply Chain Compromise | Severity: HIGH
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in~ ("python.exe", "python3", "python")
    and FileName in~ ("node.exe", "node", "nodejs")
    and ProcessCommandLine has "_runtime"
| extend AlertTitle = "HIGH: Python spawning Node.js with _runtime path — Mini Shai-Hulud supply chain indicator"
| extend Severity = "High"
| extend MITRETechnique = "T1195.001 — Supply Chain Compromise: Software Dependencies"
| extend RecommendedAction = "Identify all hosts with lightning==2.6.2 or 2.6.3 (pip show lightning); rotate all API keys, cloud credentials, and SSH keys on affected hosts; audit ~/.aws ~/.config ~/.ssh and .env files; check GitHub repo commit history for format-check.yml or .claude/ artefacts"
| project Timestamp, DeviceName, InitiatingProcessAccountName,
    InitiatingProcessFileName, FileName, ProcessCommandLine,
    SHA256, AlertTitle, Severity, MITRETechnique, RecommendedAction
| order by Timestamp desc

DET-04: CVE-2026-32202 — Outbound SMB to Public IP from Explorer.exe

Rationale: CVE-2026-32202 weaponised LNK files cause Windows Explorer to initiate an automatic NTLM authentication handshake to an attacker-controlled SMB server on the public internet. Explorer.exe initiating SMB (TCP 445) to public IPs is not legitimate behaviour in enterprise environments.

// DET-04: CVE-2026-32202 Windows Shell — outbound SMB to public IP from explorer.exe
// MITRE: T1187 — Forced Authentication | Severity: MEDIUM
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName =~ "explorer.exe"
    and RemotePort == 445
    and RemoteIPType == "Public"
| extend AlertTitle = "MEDIUM: Explorer.exe outbound SMB to public IP — possible NTLM coercion via CVE-2026-32202"
| extend Severity = "Medium"
| extend MITRETechnique = "T1187 — Forced Authentication"
| extend RecommendedAction = "Block outbound TCP 445 to non-corporate IPs at perimeter; identify the LNK file that triggered the connection; apply Microsoft April 14 patch if not already applied"
| project Timestamp, DeviceName, InitiatingProcessAccountName,
    InitiatingProcessFileName, RemoteIP, RemotePort, LocalIP,
    AlertTitle, Severity, MITRETechnique, RecommendedAction
| order by Timestamp desc

DET-05: Lynx Ransomware — VSS Deletion Followed by Mass File Encryption

Rationale: Ransomware operators universally delete VSS snapshots immediately before encryption. The combination of vssadmin delete shadows and subsequent high-volume file rename/write activity is near-conclusive for ransomware.

// DET-05: Lynx ransomware precursor — VSS deletion followed by mass file encryption
// MITRE: T1490 — Inhibit System Recovery; T1486 — Data Encrypted for Impact | Severity: CRITICAL
let VSSDelete = DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_all ("vssadmin", "delete", "shadows")
        or ProcessCommandLine has_all ("wmic", "shadowcopy", "delete")
| project DeviceName, VSSTimestamp = Timestamp, InitiatingProcessFileName;
DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in ("FileCreated", "FileModified", "FileRenamed")
| summarize FileCount = count(), Extensions = make_set(FileName) by DeviceName, bin(Timestamp, 5m)
| where FileCount > 500
| join kind=inner VSSDelete on DeviceName
| where Timestamp > VSSTimestamp
| extend AlertTitle = "CRITICAL: Mass file modification following VSS deletion — Lynx/ransomware indicator"
| extend Severity = "Critical"
| extend MITRETechnique = "T1490 — Inhibit System Recovery; T1486 — Data Encrypted for Impact"
| extend RecommendedAction = "Isolate host from network IMMEDIATELY; do not reboot; preserve any remaining VSS; engage IR team; check for RCLONE processes and outbound large-data transfers in the preceding 12 hours"
| project Timestamp, DeviceName, FileCount, Extensions, VSSTimestamp,
    AlertTitle, Severity, MITRETechnique, RecommendedAction
| order by Timestamp desc

Mitigation Priorities

Patch (actively exploited — act now):

  1. Linux Kernel CVE-2026-31431 — Apply kernel updates (>= 6.18.22, 6.19.12, or 7.0+). Until patched: echo 'install algif_aead /bin/false' >> /etc/modprobe.d/disable-algif.conf && modprobe -r algif_aead. CISA federal deadline: May 15, 2026.
  2. cPanel & WHM CVE-2026-41940 — Update to fixed builds: 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, or 11.136.0.5. If immediate patching is not possible, restrict WHM port 2087 to administrative IP ranges.
  3. Microsoft Defender BlueHammer CVE-2026-33825 — Apply Security Update KB5055593. CISA federal deadline: May 7, 2026 (two days from this report).
  4. LiteLLM CVE-2026-42208 — Upgrade to litellm >= 1.83.7-stable. If unavailable immediately, set disable_error_logs: true under general_settings in the LiteLLM config.
  5. Chrome CVE-2026-5281 — Ensure all Chrome/Chromium browsers are >= 146.0.7680.178. CISA deadline was April 15 — verify compliance.

Linux / Container / Cloud hardening:

AI/ML developer / supply chain:

Network hardening:

OT/ICS:

Sources