Your AI tools are now the attack surface

Mini Shai-Hulud: SAP CAP npm Packages Compromised, Claude Code Sessions Weaponized as Persistence Hook

• Four SAP CAP Framework npm packages were trojanized April 29: @cap-js/sqlite@2.2.2, @cap-js/postgres@2.2.2, @cap-js/db-service@2.10.1, and mbt@1.2.48 — collectively covering roughly 570K weekly downloads — each carry a preinstall hook that downloads the Bun runtime and executes an 11.7 MB obfuscated credential stealer; Wiz attributes the campaign to TeamPCP with high confidence via a shared RSA-4096 public key from the Bitwarden CLI payload. Over 1,100 victim-created exfil repos appeared on GitHub with the description "A Mini Shai-Hulud has Appeared."

• On CI runners, a bundled Python script reads /proc/<pid>/mem for the Runner.Worker process, extracting every GitHub Actions masked secret matching "key":{"value":"...","isSecret":true} — bypassing all platform-level log masking. Browser credential theft from Chrome, Safari, Edge, Brave, and Chromium is also bundled — a new capability not present in prior TeamPCP payloads.

• The campaign's novel persistence mechanism: malware writes .claude/settings.json (fires dropper on every SessionStart) and .vscode/tasks.json (runOn: folderOpen) into any repo it can write to — any developer who clones and opens an infected repository re-infects their workstation, even without running npm install, per Security Boulevard's payload analysis. The attacker also impersonated Dependabot via a dependabout/... branch to blend CI workflow injections into the commit log.

• Root cause is split: @cap-js packages abused an npm OIDC trusted-publishing configuration gap where a branch push could exchange for a publish token; mbt is suspected to involve a static token exposed via a misconfigured CircleCI job, per CSO Online's analysis.

• Safe versions: sqlite → 2.4.0, postgres → 2.3.0, db-service → 2.10.2+, mbt → 1.2.49; full IOCs, hashes, and Snyk advisories are published. Rotate all GitHub tokens, npm publish tokens, AWS/Azure/GCP creds, K8s configs, and SSH keys from affected environments. Audit all repos for .claude/settings.json and .vscode/tasks.json referencing setup.mjs. Add --ignore-scripts to npm install in CI by default.

---

cPanel CVE-2026-41940: 65-Day Zero-Day, CRLF-to-Root, 1.5M Instances Exposed with PoC Now Public

• CVE-2026-41940 (CVSS 9.8) was exploited as a zero-day since at least February 23 before disclosure on April 28, per KnownHost CEO Daniel Pearson; Rapid7 counts approximately 1.5 million internet-accessible cPanel and WHM instances on Shodan.

• watchTowr's root cause: cpsrvd writes a pre-auth session file to disk on any failed login — an attacker injects \r\n via the Authorization header to write attacker-controlled parameters including user=root in plaintext, then triggers a session reload to authenticate without a valid password, per BleepingComputer's technical breakdown. A Detection Artifact Generator script is now publicly available on GitHub.

• Patch by running /scripts/upcp --force; fixed builds: 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, 11.136.0.5, WP Squared 136.1.7. If patching is not immediate, block ports 2083, 2087, 2095, and 2096 at the firewall and stop cpsrvd/cpdavd. Run cPanel's compromise detection script, then purge sessions and reset all credentials if indicators are found. IOC: sessions combining token_denied + cp_security_token with method=badpass, or tfa_verified without a valid origin.

---

PromptMink: Famous Chollima Planted RAT via Claude Opus–Co-Authored Commit; SSH Persistence Survives Uninstall

• ReversingLabs documented "PromptMink" — a 7-month Famous Chollima npm campaign: 60 packages, 300+ malicious versions; a February 28 commit co-authored by Claude Opus introduced @solana-launchpad/sdk as a dependency of the openpaw-graveyard crypto trading agent — only the transitive @validate-sdk/v2 carries the payload, bypassing SCA tools that scan the top-level manifest. (Same cluster as Contagious Interview, previously covered in Issue #3 — now confirmed using AI-assisted commits to introduce malicious transitive dependencies.)

• On Linux, the payload plants the attacker's SSH public key in ~/.ssh/authorized_keys — backdoor access that survives npm uninstall entirely. Later Rust-compiled variants compress and exfiltrate entire project directories for IP theft, not just credentials.

• The parallel Graphalgo campaign creates fake companies with registered LLCs (Veltrix Capital, Blocmerce, Bridgers Finance) and conducts fake developer job interviews on Upwork and LinkedIn, directing candidates to clone malicious repos and run npm install && npm start. Audit ~/.ssh/authorized_keys on all developer machines for unauthorized entries; treat any AI-agent-authored commit introducing a new transitive dependency as requiring manual security review.

---

Chrome Skia Fix Pulled from Latest Release; Gemini CLI Pre-Sandbox RCE Fully Detailed; RedSun Day 16

• Chrome 146.0.7680.75/76 patches CVE-2026-3910 (V8, actively exploited) but intentionally withholds the CVE-2026-3909 fix — an out-of-bounds write in the Skia graphics library, also confirmed exploited in the wild, that enables drive-by RCE with no user interaction beyond visiting a malicious page. The CVE-2026-3909 patch was pulled from the current release and will ship in a future update; monitor Chrome Releases and update Chromium-based browsers (Edge, Brave, Opera) as vendor patches land.

• Novee Security published full technical details on GHSA-wpqr-6v78-jr5g in Gemini CLI: the tool loaded workspace agent configuration before sandbox initialization, automatically trusting the current folder — a malicious .gemini/settings.json in any cloned repo executed arbitrary commands on the CI runner with no prompt injection or user interaction required. This is distinct from the April 16 issue-body injection (Issue #10); update to the latest @google/gemini-cli and pin the run-gemini-cli GitHub Action by commit SHA.

• RedSun and UnDefend remain unpatched on Day 16 of confirmed active exploitation; Microsoft has added Defender detection signatures for the base RedSun technique, but a circulating obfuscated variant is claimed to bypass them. No out-of-band advisory has shipped from Microsoft.

---

Wiz 2026: MCP in 80% of Environments, Third-Party AI Ingestion Is the Uninventoried Attack Surface

• 81% of cloud environments run managed AI services; 90% run self-hosted AI software — Wiz's 2026 State of AI in the Cloud report classifies AI as inherited infrastructure, not a discrete deployment decision. MCP servers are present in at least 80% of cloud environments; AI-integrated IDE extensions appear in at least 80% of organizations.

• 68% of organizations self-hosting AI models ingest them at least partly via third-party software — an attack surface not explicitly chosen and often uninventoried; 42% depend on a single AI model. The SAP Mini Shai-Hulud attack above is a live example: @cap-js packages pulled by automated workflows represent inherited AI infrastructure that no team explicitly approved.

• Only 5% of organizations expose MCP servers directly to the internet, but the internal MCP footprint is broad and spans cloud security, AppSec, and data governance ownership boundaries — Wiz's core recommendation is applying the same asset inventory, configuration review, and identity governance to AI workloads as to any other production system.