TeamPCP Goes Ransomware, GitHub MCP Zero-Click RCE, Axios CVSS 9.9

TeamPCP Pivots to Ransomware; 474 Repos Confirmed Executing Malicious Code

• The Axios backdoor has been formally named WAVESHAPER.V2; the Trivy credential stealer is SANDCLOCK; the Telnyx Python SDK compromise delivered DonutLoader + AdaptixC2 on Windows. (Previously: Stardust Chollima/UNC1069 attribution confirmed — now with official malware designations.)
• 474 public repositories executed malicious code from the compromised trivy-action workflow; 1,750 Python packages were configured to auto-pull poisoned versions.
• TeamPCP has launched CipherForce, a proprietary ransomware operation built on the campaign's existing access — pivoting from credential theft to direct monetization. Meta paused work with Mercor following confirmed 4TB exfiltration. Google warns hundreds of thousands of stolen secrets remain in active circulation.
• Minimum safe app versions before May 8 cert-block: ChatGPT Desktop 1.2026.071, Codex App 26.406.40811, Codex CLI 0.119.0, Atlas 1.2026.84.2.

---

GitHub MCP Server: Zero-Click RCE Force-Disclosed After 30 Days of Vendor Silence

• A researcher publicly disclosed an unpatched zero-click RCE in github-mcp-server:latest (as of April 13) after reporting via HackerOne on March 14 — closed as "Informative" — and escalating to security@github.com on March 27 with no human response. Triggering a repository metadata fetch against a maliciously crafted repo executes embedded payloads with root privileges; no user interaction beyond connecting the server to an untrusted repository is required.
• Demonstrated impact: reading /etc/shadow, exfiltrating root SSH keys, intercepting live GitHub access tokens via git config --list, and accessing internal container registry credentials — confirmed inside an Azure-hosted GitHub Actions runner with sudo NOPASSWD: ALL.
• No patch is available. Restrict github-mcp-server to trusted repositories only; run it in a network-isolated environment with no access to host credentials until a fix ships.

---

New Axios CVE-2026-40175 (CVSS 9.9); BlueHammer PoC Live; Patch Tuesday and Secure Boot Deadline

• A separate critical flaw in Axios — CVE-2026-40175 (CVSS 9.9) — is distinct from the March 31 supply chain attack. Missing CRLF sanitization in lib/adapters/http.js (CWE-113) allows prototype-polluted properties from body-parser, qs, or minimist to inject smuggled HTTP headers, bypassing AWS IMDSv2 token protections to exfiltrate IAM credentials via the EC2 metadata service with zero direct user input. A public PoC is available. Affects all Axios versions prior to 1.13.2 — patch to 1.15.0+.
• The BlueHammer Windows LPE zero-day PoC was published on GitHub by "Chaotic Eclipse" and "Nightmare Eclipse" following a dispute with Microsoft. (Previously: reported as a leaked exploit with unconfirmed component — now publicly available.) A fix is expected in today's Patch Tuesday.
• April 2026 Patch Tuesday (April 14) is expected to cover 80–100+ CVEs against a backdrop of recent update quality issues, including KB5079391 being pulled within 24 hours last month. Secondary deadline: Secure Boot certificates expire June 26 — 73 days remain to deploy 2023-vintage certificates before systems lose boot manager security fixes and become vulnerable to bootkits like BlackLotus. Verify UEFICA2023Status registry key and prioritize OEM firmware on pre-2024 hardware.
• Adobe revised CVE-2026-34621's CVSS to 8.6 (down from 9.6), reclassifying severity from Critical to High. Patch and mitigation guidance are unchanged.
• CVE-2026-1492 in the WordPress User Registration & Membership plugin allows unauthenticated full admin account takeover via an auth bypass flaw. Patch available — update immediately.

---

Mythos Preview Benchmark: 72.4% Autonomous Exploit Chain Rate; gadstat.com Under Investigation

• Techzine's Mythos Preview analysis puts autonomous exploit-chaining success at 72.4%, including fully autonomous identification and exploitation of CVE-2026-4747, a 17-year-old RCE in FreeBSD's NFS server. (Previously: Wiz CTO commentary on structural shift and Glasswing consortium scope — now a specific benchmark figure is public.) Heidy Khlaaf (AI Now Institute) and Marcus Hutchins have cautioned against accepting the figure without disclosure of false-positive rates and human-review methodology.
• Scott Helme and ReportURI are investigating gadstat.com — a newly registered domain appearing as an analytics endpoint across multiple unrelated production sites simultaneously over the weekend. Investigation is ongoing with no formal advisory yet; block outbound traffic to gadstat.com pending resolution.

---

AgentAuditKit, Red Hat Fromager, and the AI Code Confidence Gap

• AgentAuditKit (pip install agent-audit-kit) delivers 77 rules across 13 scanners auditing MCP configurations for Claude Code, Cursor, Copilot, Windsurf, Amazon Q, and Gemini CLI. Findings from public config analysis: 100% of .mcp.json files using npx had unpinned packages; 23.4% of remote MCP servers had no auth; CVE-2026-21852 (enableAllProjectMcpServers: true) auto-approves all servers including from untrusted repos; 43% of MCP servers were vulnerable to invisible tool poisoning via zero-width Unicode characters (72.8% attack success rate on MCPTox benchmark). Supports tool-definition pinning by hash. Repo: sattyamjjain/agent-audit-kit.
• Red Hat open-sourced Fromager, which rebuilds entire Python dependency trees from source inside network-isolated Linux namespaces — blocking compromised setup.py from phoning home or exfiltrating secrets at compile time, a direct counter to ultralytics-style and torchtriton PyPI attacks. Outputs a verifiable dependency DAG rather than isolated packages; already Red Hat's core AI wheel-building engine. Repo: python-wheel-build/fromager.
• The Purple Book State of AI Risk Management 2026 (650+ senior security decision-makers) finds 70% of organizations report confirmed or suspected AI-generated code vulnerabilities in production, yet 83% claim their existing tools detect them effectively — with 92% of those finding production vulns still rating their tools as working, indicating detection is happening post-deployment rather than in the pipeline. 59% confirm ungoverned shadow AI is present; 78% are piloting or deploying agentic AI, but only 72.7% claim to actively track MCP servers or equivalent frameworks.