Daily Digest

Four official SAP npm packages were just compromised in what researchers believe is a TeamPCP supply-chain attack. The malicious code steals credentials and authentication tokens from developers’ systems—including AWS, Azure, and Google Cloud keys. If you’re a developer using SAP’s Cloud Application Programming Model (CAP) or Cloud MTA, your machines and CI/CD pipelines may already be exposed. The malware doesn’t just steal—it self-propagates to other packages, making this a fast-moving threat.

**What exactly happened** Security researchers at Aikido and Socket discovered that four official SAP npm packages were tampered with. The compromised versions are now deprecated: @cap-js/sqlite v2.2.2, @cap-js/postgres v2.2.2, @cap-js/db-service v2.10.1, and mbt v1.2.48. These packages are widely used in enterprise development, supporting SAP’s Cloud Application Programming Model (CAP) and Cloud MTA. The attack is linked with medium confidence to the TeamPCP threat actor group. **Who is affected and how** Anyone who installed these specific package versions is at risk. The malicious code activates automatically through a preinstall script—meaning you didn’t need to run anything extra to get infected. Developers working on SAP enterprise applications, especially those using CI/CD pipelines, are the primary targets. The malware steals npm and GitHub tokens, SSH keys, and cloud credentials for AWS, Azure, and Google Cloud. **The real-world impact and consequences** This isn’t just about stolen passwords. The malware extracts secrets directly from CI runner memory, bypassing all log masking. It reads /proc/<pid>/maps and /proc/<pid>/mem to grab secrets in plaintext—even from platforms that claim to hide them. Once collected, data is encrypted and uploaded to public GitHub repositories under the victim’s account. These repos include the description “A Mini Shai-Hulud has Appeared”—a clear signature linking back to previous TeamPCP attacks. **Technical breakdown: how it works** The preinstall script launches a loader called setup.mjs, which downloads the Bun JavaScript runtime from GitHub. Bun then executes a heavily obfuscated payload named execution.js. This payload is an information-stealer that also searches GitHub commits for a specific string. Commit messages matching “OhNoWhatsGoingOnWithGitHub:<base64>” are decoded into tokens and checked for repository access—a dead-drop mechanism to gain further access. The malware also self-propagates. Using stolen npm or GitHub credentials, it modifies other packages it can access and injects the same malicious code. This turns a single infection into a potential supply-chain wildfire. **What should be done — mitigation and recommendations** First, immediately check if you’ve installed any of the compromised package versions. Rotate all credentials that may have been exposed—especially npm tokens, GitHub tokens, and cloud provider keys. Review your CI/CD pipeline logs for any unusual activity, particularly memory reads or unexpected GitHub repository creations. Enable multi-factor authentication on all developer accounts and consider using read-only tokens where possible. SAP has deprecated the malicious versions, but the root cause—possibly an exposed NPM token via a misconfigured CircleCI job—remains unclear. Monitor for official updates and patch as soon as new versions are released. **Why this matters in the bigger cybersecurity landscape** This attack mirrors the TeamPCP playbook seen in previous incidents against Trivy, Checkmarx, and Bitwarden. The use of memory scraping to bypass CI/CD log masking is a growing trend that undermines trust in pipeline security. Supply-chain attacks on official packages are becoming more sophisticated and harder to detect. The self-propagation mechanism means one compromised package can quickly infect dozens more. For enterprise developers, this is a stark reminder that even trusted sources need constant vigilance.

A critical authentication bypass in cPanel and WHM is being actively exploited as a zero-day, with attackers already knocking on doors since late February. The bug, tracked as CVE-2026-41940, lets anyone waltz into your server without a password—no credentials required. If you run cPanel, WHM, or WP Squared, you're in the crosshairs. Hosting providers like KnownHost and Namecheap have already seen exploit attempts in the wild, and a proof-of-concept is now public. Roughly 1.5 million cPanel instances are exposed online, and attackers are racing to break in.

**What exactly happened** A severe authentication bypass vulnerability, CVE-2026-41940, was discovered in cPanel, WHM, and WP Squared—and it's being actively exploited as a zero-day. The flaw allows attackers to log into the system without validating a password, effectively handing over the keys to the kingdom. Exploitation attempts were spotted as early as February 23, 2026, according to KnownHost CEO Daniel Pearson. The bug remained under the radar until cPanel released a fix on April 28, following pressure from hosting providers who were already seeing attacks. **Who is affected and how** Any organization using cPanel or WHM versions after 11.40 is vulnerable. That includes hosting providers, web agencies, and businesses managing multiple websites through these control panels. WP Squared, a WordPress management panel built on cPanel, is also impacted. Namecheap took the drastic step of temporarily blocking connections to cPanel and WHM ports 2083 and 2087 to protect customers until patches were available. Shodan scans reveal approximately 1.5 million cPanel instances exposed online, though the exact number of vulnerable systems remains unknown. **The real-world impact and consequences** Successful exploitation gives attackers complete control over the cPanel host system—its configurations, databases, and all websites it manages. This isn't a minor breach; it's a full compromise that can lead to data theft, malware deployment, and complete site defacement. For hosting providers, this is a nightmare scenario. A single compromised cPanel instance can expose thousands of customer websites, leading to cascading attacks, reputation damage, and potential legal liability. **Technical breakdown** The vulnerability is a Carriage Return Line Feed (CRLF) injection in the login and session loading processes. Security researchers at watchTowr explain that user-controlled input from the Authorization header is written into server-side session files before authentication—and without proper sanitization. This means an attacker can inject malicious data into session files, effectively tricking the system into granting access without a valid password. The exploit is now public, with watchTowr releasing both a detailed analysis and a detection artifact generator script. **What should be done — mitigation and recommendations** First, patch immediately. cPanel has released fixes for all affected versions, from 11.110.0.97 to 11.136.0.5. After updating, restart the 'cpsrvd' service to ensure the patch takes effect. If patching isn't possible, block external access to ports 2083, 2087, 2095, and 2096, or stop the cpsrvd and cpdavd services. cPanel also provides a detection script to check for compromise—run it now. If indicators are found, purge all sessions, reset every credential, audit logs thoroughly, and investigate for persistence mechanisms. watchTowr's detection artifact generator can help verify if your instances are vulnerable. **Why this matters in the bigger cybersecurity landscape** This zero-day highlights a persistent weakness in web hosting infrastructure: authentication systems that trust user input before validation. As hosting providers consolidate around platforms like cPanel, a single vulnerability can have ripple effects across millions of websites. The fact that attackers were exploiting this bug for over two months before a fix was released underscores the importance of proactive monitoring and rapid patch deployment. In today's threat landscape, waiting for a vendor to act can be the difference between a close call and a full-blown breach.

A massive international sting just took down nine crypto scam centers and arrested 276 suspects. The operation, led by Dubai Police with U.S. and Chinese authorities, targeted the brutal "pig-butchering" fraud rings that have been draining victims' life savings. If you've ever wondered how those too-good-to-be-true crypto investment offers work, this is it. Scammers build fake relationships, then convince victims to pour money into phony platforms. The victims lose everything immediately, and the funds vanish through a maze of cryptocurrency accounts. Anyone with a social media account or a dating app is a potential target.

**What exactly happened** Dubai Police, backed by the UAE Ministry of Interior, coordinated a takedown of nine cryptocurrency investment fraud centers. The operation netted 276 suspects, including key managers and recruiters for the scam networks. The arrests spanned multiple countries. Dubai Police caught several alleged ringleaders, while Thailand's Royal Thai Police apprehended others. Two suspects remain at large, but the net is tightening. **Who is affected and how** The victims are everyday people—Americans and others worldwide—who fell for "pig-butchering" schemes. Scammers build trust through fake friendships or romantic relationships, then lure targets into fake crypto investment platforms. Once victims transfer funds, they lose control immediately. The money gets laundered through multiple cryptocurrency accounts. Scammers even pressure victims to borrow from family and take out loans to invest more. **The real-world impact and consequences** The financial damage is staggering. The FBI's 2025 Internet Crime Report shows investment fraud accounted for 49% of all scam incidents last year, with reported losses of $8.6 billion. That's up from $6.5 billion in 2024. The U.S. Attorney for the Southern District of New York, Adam Gordon, made it clear: "These scammers thought they were safe half a world away. But their world has changed. Global crime now faces global justice." **Technical breakdown** The scam centers operated like legitimate businesses. One alleged ringleader, Thet Min Nyi, managed a company called Ko Thet Company. Other groups included Sanduo Group and Giant Company, run by Indonesian nationals. Victims were identified through complaints filed with the FBI's Internet Crime Complaint Center (IC3). Investigators traced millions in losses from cryptocurrency investment schemes back to these operations. **What should be done — mitigation and recommendations** The U.S. government is already stepping up. In November, federal authorities launched the Scam Center Strike Force, a new task force dedicated to disrupting crypto scam networks. This followed the DOJ's seizure of $15 billion from the leader of the Prince Group, a criminal organization that stole billions from Americans. For individuals, the advice is simple: never trust unsolicited investment offers, especially from people you meet online. If someone you've never met in person asks you to invest in crypto, it's almost certainly a scam. **Why this matters in the bigger cybersecurity landscape** This operation marks a turning point. As Assistant Attorney General A. Tysen Duva put it, "In contemporary society, fraud is borderless, and law enforcement activity to combat it and eliminate it is as well." The takedown also aligns with European actions this week, where authorities dismantled another crypto fraud ring causing over €50 million in losses. The message is clear: the golden age of crypto scammers hiding in foreign jurisdictions is ending. Global law enforcement is finally catching up.

A backdoor hidden in a popular WordPress redirect plugin went undetected for five years, silently compromising over 70,000 websites. The malware, discovered by hosting provider Anchor’s founder Austin Ginder, allowed attackers to inject arbitrary code and hijack search rankings for SEO spam. If you run a site using Quick Page/Post Redirect versions 5.2.1 or 5.2.2, your site may still be at risk—even if you think you’ve updated.

**What exactly happened** A dormant backdoor was discovered in the Quick Page/Post Redirect plugin, installed on more than 70,000 WordPress sites. The malware, added in 2020, remained hidden for five years until Austin Ginder spotted anomalies on 12 infected sites in his hosting fleet. WordPress.org has temporarily removed the plugin pending review, leaving users in limbo. **Who is affected and how** Any site running plugin versions 5.2.1 or 5.2.2—released between 2020 and 2021—is potentially compromised. The backdoor was embedded in a self-update mechanism that pointed to a third-party domain, anadnet[.]com, bypassing WordPress.org’s security controls. Even if you updated to later versions, the malicious updater may still linger on your server. **The real-world impact and consequences** The backdoor enabled “cloaked parasite SEO,” renting out Google ranking from 70,000 websites to unknown operators. For site owners, this means stolen search traffic, damaged reputation, and potential blacklisting by search engines. Worse, the arbitrary code execution capability could be weaponized for data theft, malware distribution, or complete site takeover at any time. **Technical breakdown** The malware operated through a passive backdoor that only activated for logged-out users, hiding its activity from admins. It hooked into WordPress’s ‘the_content’ filter to fetch data from anadnet[.]com, injecting SEO spam into pages. The self-update mechanism allowed attackers to push arbitrary code from an external server, with version 5.2.3 receiving a tampered build in March 2021 that had a different hash than the official WordPress.org copy. **What should be done** Immediately uninstall Quick Page/Post Redirect and replace it with a clean copy of version 5.2.4 from WordPress.org once it’s available. Check your site for any suspicious files or database entries linked to anadnet[.]com. Ginder urges the backdoor’s operator to publish a static update manifest that forces all affected installs to upgrade to the clean version, effectively removing the malware. **Why this matters** This incident highlights a critical vulnerability in WordPress’s plugin ecosystem: plugins can hide malicious code for years, even in popular tools. The self-update mechanism exploited here is a common attack vector that bypasses official review channels. For site owners, it’s a stark reminder to audit all plugins regularly, monitor for unexpected external connections, and never assume a plugin is safe just because it’s widely used. The dormant backdoor could still be reactivated if the command-and-control domain resolves again, making this a ticking time bomb for thousands of sites.

A 24-year-old Scottish hacker who once topped the leaderboards of the English-speaking cybercrime underworld just pleaded guilty in a U.S. courtroom. His name is Tyler Robert Buchanan, known online as "Tylerb," and he was a senior member of the notorious group "Scattered Spider." This isn't just another arrest. Buchanan admitted to orchestrating SMS phishing attacks that hit major tech giants like Twilio, LastPass, and DoorDash in 2022. The goal? Steal tens of millions in cryptocurrency. If you hold crypto or work at a tech company, this case reveals exactly how a few deceptive text messages can bring down an entire digital empire.

**What exactly happened** Tyler Robert Buchanan, a 24-year-old from Dundee, Scotland, pleaded guilty to wire fraud conspiracy and aggravated identity theft. He was a senior member of Scattered Spider, a cybercrime group infamous for its social engineering prowess. During the summer of 2022, Buchanan and his crew launched tens of thousands of SMS-based phishing texts. These messages targeted employees at companies like Twilio, LastPass, DoorDash, and Mailchimp. The goal was simple: trick a help desk employee into handing over access. **Who is affected and how** The immediate victims were the employees who fell for the phishing texts. But the real damage rippled outward. Once inside, the group used stolen credentials to access corporate networks and steal sensitive data. That data became ammunition for SIM-swapping attacks. By transferring a victim's phone number to a device they controlled, the hackers bypassed two-factor authentication and drained cryptocurrency wallets. Individual investors lost tens of millions of dollars. **The real-world impact and consequences** Buchanan now faces up to 22 years in a U.S. federal prison. His sentencing is set for August 21, 2026. But the judge may consider his age, cooperation with authorities, and time already served. His hacker handle "Tylerb" once sat at #1 on a leaderboard tracking the most accomplished cyber thieves. Now it sits at #24. The fall from grace is steep, but the real lesson is for the rest of us: these attacks worked because they targeted human trust, not technical flaws. **Technical breakdown (the "how")** Scattered Spider's method is deceptively simple. They impersonate employees or contractors calling IT help desks. They claim they've lost access or need a password reset. With enough convincing details (often scraped from LinkedIn or public sources), they get what they want. In Buchanan's case, the initial vector was SMS phishing. A text message that looked legitimate tricked an employee into clicking a link. That link led to a fake login page. Once credentials were entered, the attackers had a foothold. From there, they moved laterally across the network, stealing data and escalating privileges. **What should be done — mitigation and recommendations** Companies need to treat help desks as a critical security boundary. Implement strict verification protocols for password resets and access grants. Use out-of-band verification (like a phone call to a known number) instead of relying on email or chat. For individuals, especially crypto investors, avoid SMS-based two-factor authentication. Use hardware security keys or authenticator apps instead. And never click links in unsolicited text messages, even if they appear to come from a trusted company. **Why this matters in the bigger cybersecurity landscape** Scattered Spider represents a shift in cybercrime. They're not sophisticated hackers exploiting zero-day vulnerabilities. They're social engineers exploiting human nature. This case proves that the weakest link in any security system is the person answering the phone or reading a text. Buchanan's guilty plea sends a message, but it won't stop the next group from trying. The real fix is cultural: train employees to question everything, and build systems that assume someone will always try to trick them.

Windows just got a shiny new security feature called Administrator Protection, designed to finally lock down the notoriously leaky User Account Control (UAC). But before it even hit your desktop, security researchers had already found nine ways to punch right through it. The root cause? A decades-old feature called UI Access that Microsoft has basically ignored since Windows Vista. If you're using Windows 11 with Administrator Protection enabled, your system might still be vulnerable to attacks that let malware silently escalate privileges through your own user interface.

**What exactly happened** Security researcher James Forshaw discovered nine distinct bypasses in Microsoft's new Administrator Protection feature, five of which stem from a single architectural flaw: the UI Access (UIA) mechanism. These bypasses were responsibly disclosed and patched before the feature's public release, but the underlying issue has existed since Windows Vista. **The ancient problem nobody fixed** UI Access was originally designed to let accessibility tools like screen readers interact with privileged windows. The problem is that this creates a backdoor through the Mandatory Integrity Control system, which normally prevents low-integrity processes from touching high-integrity windows. By abusing UIA, attackers can effectively bypass the entire integrity level hierarchy. **Who is affected and how** Any Windows 11 system with Administrator Protection enabled is potentially vulnerable. The attack works when a standard user runs a specially crafted application that requests UI Access privileges. Once granted, that application can send window messages to elevated processes, essentially tricking them into performing privileged actions on the attacker's behalf. **The real-world impact** This isn't just theoretical. A successful bypass means malware running as a standard user can silently escalate to full administrator privileges without triggering any UAC prompts. For enterprise environments relying on Administrator Protection as a security boundary, this completely undermines the protection model. The attacker gains the ability to install software, modify system settings, and access protected data. **Technical breakdown explained simply** Think of UAC as a security guard checking IDs at the door. Administrator Protection was supposed to be a reinforced steel door. But UI Access is like a service entrance that the guard is trained to wave through without checking. The researcher found that by requesting UI Access privileges (which any standard user can do), an application gets a special token that bypasses the integrity checks. From there, it can send carefully crafted messages to administrator-level windows, forcing them to execute code on the attacker's behalf. **What should be done — mitigation and recommendations** Microsoft has patched all nine bypasses in the latest Windows updates. Users should ensure they're running the most current version of Windows 11 with all security patches applied. Organizations should test Administrator Protection in their environments but remain aware that this is a new feature with a history of bypasses. The researcher recommends additional hardening through AppLocker or Windows Defender Application Control to restrict which applications can request UI Access. **Why this matters in the bigger cybersecurity landscape** This research exposes a fundamental tension in Windows security: the balance between accessibility and privilege separation. UI Access has been a known weakness for over a decade, but it was never prioritized for fixing because UAC itself was considered a convenience feature rather than a security boundary. Microsoft's new stance with Administrator Protection changes that calculus, but the discovery of nine bypasses shows how difficult it is to retrofit security onto legacy architecture. The real lesson is that security boundaries need rigorous testing from day one, not after they've been shipping for years.

Windows 11’s shiny new Administrator Protection feature was supposed to be the end of UAC headaches. Instead, a researcher found nine ways to bypass it before it even fully launched. If you’re on the latest Windows 11 preview, your admin privileges might be more exposed than Microsoft intended. This isn’t just a theoretical flaw. The bypass works silently, giving attackers full admin rights without a single pop-up. Anyone running Windows 11 25H2 with Administrator Protection enabled is at risk — and Microsoft has already had to disable the feature temporarily.

**What exactly happened** Microsoft rolled out Administrator Protection in Windows 11 25H2 as a shiny replacement for UAC. It was supposed to be the gold standard for temporary admin access. But security researcher [name redacted] dug into the insider preview builds and found nine separate vulnerabilities that could silently bypass the entire system. One of those bugs is particularly nasty: it lets an attacker gain full administrator privileges without triggering any elevation prompt. No pop-ups, no warnings, no user interaction needed. Just a clean, silent takeover. **Who is affected and how** Anyone running Windows 11 25H2 with Administrator Protection turned on is in the crosshairs. That includes both enterprise users who enabled it for security and power users who wanted tighter control over admin access. The attack works through a local privilege escalation vector. That means malware already running with limited user privileges can exploit the flaw to jump straight to SYSTEM-level access. No admin password required, no UAC prompt to dodge. **The real-world impact and consequences** This isn’t a minor inconvenience. Full admin privileges mean an attacker can install malware, disable security tools, steal credentials, and pivot across your network. For organizations, that’s a direct path to ransomware deployment or data exfiltration. Microsoft’s response was swift but telling: they disabled the entire Administrator Protection feature as of December 1st, 2025. That’s a big deal for a feature that was supposed to be a cornerstone of Windows 11 security. **Technical breakdown — the “how” explained simply** The researcher found that Administrator Protection relies on a new token-based system to grant temporary admin rights. But the implementation had a critical flaw: it didn’t properly validate the source of certain system calls. By crafting a specific sequence of API calls, an attacker could trick the system into granting a full administrator token to a process that should have stayed limited. Think of it like convincing a bouncer that you’re on the VIP list when you’re actually sneaking in through the back door. The vulnerability was present in the kernel-level components that handle privilege escalation. Microsoft has since patched all nine issues, either before the feature’s official release or in subsequent security bulletins. **What should be done — mitigation and recommendations** First, check if you’re running Windows 11 25H2 with Administrator Protection enabled. If so, Microsoft has already disabled the feature server-side, but you should verify your system is fully patched. Apply the latest Windows updates immediately, especially KB5067036 which addressed the pre-release bugs. For enterprise admins, monitor for any unusual privilege escalation attempts and ensure endpoint detection tools are up to date. The safest approach? Don’t run as an administrator at all. Use a standard user account for daily work and only elevate when absolutely necessary. That advice hasn’t changed since the UAC days. **Why this matters in the bigger cybersecurity landscape** This discovery highlights a recurring theme in modern security: new features often introduce new attack surfaces. Administrator Protection was designed to be more secure than UAC, but its complexity created fresh opportunities for bypasses. The fact that Microsoft had to disable the feature entirely shows that even well-intentioned security improvements can backfire. It’s a reminder that defense-in-depth strategies should never rely on a single control, no matter how shiny. For the broader industry, this underscores the importance of rigorous security testing before features go live. The researcher found nine vulnerabilities during the preview phase — imagine what attackers might have found if this had shipped without scrutiny.