InfoSec Briefing - April 30, 2026

🎧 Audio Briefing

Playback Speed:

Good morning. This is your security briefing for Thursday, April 30, 2026. We're analyzing 5 articles today. All attribution is by the article authors. All article analysis is automated.

Hunt dot io reports on the exposure of xlabs version one, a DDoS-for-hire operation built on Mirai code targeting game servers and Minecraft hosts. The operators left a debug build publicly accessible on a Netherlands server, exposing the complete operation including binaries, infection payloads, and proxy credentials. The botnet exploits Android Debug Bridge on port 5555 to compromise IoT devices including Android TV boxes, smart TVs, and routers, employing 21 flood variants and a killer subsystem to eliminate rival botnets.

Theori reports on Copy Fail, a Linux kernel privilege escalation vulnerability affecting mainstream distributions from 2017 to present. The flaw in the AF_ALG crypto API allows unprivileged local users to gain root access through a 732-byte exploit targeting setuid binaries, posing critical risks to multi-tenant environments, container clusters, and CI/CD systems where untrusted code execution occurs.

According to reports from Socket dot dev, WatchTowr Labs, and Semgrep, a coordinated supply chain attack has compromised multiple SAP-related npm packages used in JavaScript and cloud application development. The malicious packages contain preinstall scripts that download and execute unverified Bun binaries designed to steal SSH keys, cloud credentials from AWS, Azure, and GCP, developer configurations, and cryptocurrency wallets from developer machines and CI/CD environments. Meanwhile, WatchTowr Labs reports a critical authentication bypass vulnerability affecting all currently supported versions of cPanel and WHM, allowing attackers to gain unauthorized access to the management plane by manipulating the Authorization Basic header with crafted newline characters. This vulnerability has been exploited as a zero-day in the wild, prompting urgent patching recommendations across six major version branches.

That concludes today's briefing.

📰 Articles Covered

xlabs_v1 DDoS-for-Hire Operation Exposed: How an Operator's Debug Build Unraveled a Commercial Game-Server Botnet - hunt.io

The **xlabs_v1** operation is a **DDoS-for-hire service** that has been exposed due to an operator's debug build being left publicly accessible 【1】. This operation is a **Mirai-derived botnet** that targets **game servers and Minecraft hosts** 【1】.

**What Happened:**
An exposed directory on a Netherlands-hosted server revealed the complete toolkit for the xlabs_v1 operation, including binaries, infection payloads, and proxy credentials 【1】. This allowed for a full reconstruction of the botnet's functionality and infrastructure.

**Who is Affected:**
The primary targets of xlabs_v1 are **game servers and Minecraft hosts**, with bandwidth-tiered pricing for the DDoS-for-hire service 【1】. The infection vector exploits **Android Debug Bridge (ADB)** on TCP/5555, making a wide range of internet-exposed devices vulnerable. This includes **Android TV boxes, set-top boxes, smart TVs, residential routers, and other IoT devices** that ship with ADB enabled by default 【1】.

**Security Implications:**
The xlabs_v1 botnet is a commercial operation that aims to keep compromised IoT devices profitable for its operator 【1】. It employs **21 flood variants** across TCP, UDP, and raw protocols, including techniques to bypass consumer-grade DDoS protection 【1】. The botnet also includes a "killer subsystem" that terminates non-whitelisted processes and specifically targets a rival botnet's port to ensure its full bandwidth quota is available for attacks 【1】. The operation exhibits **moderate tradecraft**, being more sophisticated than typical Mirai forks but less so than top-tier commercial DDoS operations 【1】.

**Technical Details:**
- **Botnet Type:** Mirai-derived, self-branded as xlabs_v1.
- **Infection Vector:** Android Debug Bridge (ADB) on TCP/5555.
- **Target Architectures:** ARM, MIPS, x86-64, ARC, and Android APK.
- **Attack Capabilities:** 21 flood variants (TCP, UDP, raw protocols, RakNet, OpenVPN-shaped UDP).
- **Key Features:**
- **ChaCha20 string protection:** Used to encrypt strings within the binary 【1】.
- **Bandwidth Profiling:** Opens thousands of TCP sockets to Speedtest servers to measure bot bandwidth and assign pricing tiers 【1】.
- **Killer Subsystem:** Terminates competing botnet processes 【1】.
- **OpenNIC-aware DNS resolution:** For resilience against ICANN blocks 【1】.
- **Masquerade:** Processes can masquerade as `/bin/bash` 【1】.
- **Command and Control (C2):** Primarily uses the domain `xlabslover[.]lol` and TCP port 35342 【1】.
- **Infrastructure:** Includes bulletproof hosting netblocks and a SOCKS5 proxy service (Decodo) 【1】.

**What Defenders Should Know:**
Defenders should be aware that xlabs_v1 is a **commercial DDoS-for-hire service** competing on price and attack variety 【1】. The infection vector targets devices with **exposed ADB ports**, making IoT devices and routers particularly vulnerable 【1】. The botnet's ability to bypass consumer-grade DDoS protection and its self-preservation mechanisms (killing rival bots) highlight its effectiveness 【1】. Network indicators such as domains (`xlabslover[.]lol`), IPs (`176.65.139.44`), and ports (`35342`, `24936`) can be used for detection and blocking 【1】. Defenders should also note the presence of a **debug build** on a public server, which indicates a mid-tier level of operational security 【1】.
Copy Fail — 732 Bytes to Root - theori-io

The cybersecurity vulnerability, dubbed "Copy Fail" (CVE-2026-31431), allows an unprivileged local user to gain root access on a Linux system 【1】.

**What Happened:**
The vulnerability stems from an optimization in the kernel's crypto API (`AF_ALG`) that was introduced in 2017. This optimization, specifically `algif_aead`, allowed page-cache pages to be written to a destination scatterlist. The exploit involves editing the page cache of a setuid binary, which, while not persistent across reboots, results in a real root shell 【1】.

**Who is Affected:**
**Essentially all mainstream Linux distributions** with kernels built between 2017 and the patch date are affected 【1】. The vulnerability requires only an unprivileged local user account and does not need network access or special kernel features. The `AF_ALG` module is enabled by default in most distributions 【1】.

The security implications are particularly high for:
- **Multi-tenant Linux hosts:** Shared environments where multiple users share a kernel.
- **Kubernetes/container clusters:** A compromised pod can affect the host node and cross tenant boundaries.
- **CI runners & build farms:** Systems that execute untrusted code, such as self-hosted GitHub Actions, GitLab runners, or Jenkins agents.
- **Cloud SaaS environments:** Platforms running user code in containers or scripts, where a tenant could gain host root access.

For standard servers and single-user workstations, it acts as a local privilege escalation (LPE) vector 【1】.

**Security Implications:**
The primary security implication is **privilege escalation**, allowing an unprivileged user to gain root access. This can lead to:
- Compromise of entire nodes in containerized environments 【1】.
- Cross-tenant boundary breaches in multi-tenant systems 【1】.
- Execution of malicious code with root privileges on CI/CD systems 【1】.

**Technical Details:**
The vulnerability is related to the `algif_aead` module within the kernel crypto API. An in-place optimization introduced in 2017 allowed page-cache pages to be incorrectly written to the destination scatterlist. The exploit manipulates this by editing the page cache of a setuid binary, thereby achieving root privileges 【1】.

**What Defenders Should Know:**
Defenders should **patch their systems immediately** by updating their distribution's kernel package to include mainline commit `a664bf3d603d`. This commit reverts the problematic `algif_aead` optimization 【1】.

**Before patching**, it is recommended to disable the `algif_aead` module by adding the following lines to `/etc/modprobe.d/disable-algif.conf` and removing the module if it's loaded:
```bash
# echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf
# rmmod algif_aead 2>/dev/null || true
```
【1】 Most major Linux distributions are now shipping the fix 【1】.
TeamPCP-Linked Supply Chain Attack Hits SAP CAP and Cloud MTA npm Packages - socket.dev

A supply chain attack has been identified, targeting multiple npm packages associated with **SAP's JavaScript and cloud application development ecosystem** 【1】. The attack involves compromised versions of SAP CAP (Cloud Application Programming Model) and Cloud MTA (Multi-Target Application) npm packages.

**What Happened:**
The compromised npm packages, specifically versions `mbt@1.2.48`, `@cap-js/db-service@2.10.1`, `@cap-js/postgres@2.2.2`, and `@cap-js/sqlite@2.2.2`, contain a malicious preinstall script 【1】. This script acts as a bootstrapper, downloading and executing an unverified Bun binary from GitHub Releases 【1】. The attack appears to involve post-processing of legitimate SAP tarballs, injecting malicious files: a modified `package.json`, `setup.mjs`, and `execution.js` 【1】.

**Who is Affected:**
Developers and CI/CD environments utilizing the affected SAP CAP and Cloud MTA npm packages are at risk 【1】. The attack specifically targets developer machines and CI runners.

**Security Implications:**
The primary implication is the execution of unverified binaries within development and deployment pipelines, posing a significant supply chain risk 【1】. The payload is designed to steal sensitive information, including:
- **Developer Machines:** SSH keys, cloud credentials (AWS, Azure, GCP, Kubernetes), developer tooling configurations (npm, git, docker), environment files, AI tool configurations, cryptocurrency wallets, and messaging application data 【1】. It also attempts to steal GitHub CLI tokens 【1】.
- **CI Runners:** The payload executes a Python script to scan runner memory for secrets, bypassing log masking 【1】.
- **Self-Propagation:** Stolen npm tokens are used to inject the malicious script into other packages maintained by the victim 【1】.
- **Persistence:** Backdoors are established by registering hooks in IDE and AI coding assistant configuration files, such as `.claude/settings.json` and `.vscode/tasks.json`, to re-execute the payload 【1】.

**Technical Details:**
- **Payload Obfuscation:** The `execution.js` file is heavily obfuscated using `javascript-obfuscator` and employs a multi-layered cipher, including PBKDF2 with specific parameters (200,000 SHA-256 iterations, salt "ctf-scramble-v2"), which is identical to tooling used in previous TeamPCP-linked attacks 【1】.
- **Kill Switch:** The payload includes a kill switch that halts execution on systems with Russian locales 【1】.
- **Exfiltration:** Harvested data is encrypted using RSA-OAEP-4096 and AES-256-GCM with a hardcoded attacker public key. Exfiltration occurs via encrypted archives uploaded to a GitHub repository created under the victim's account, using a specific naming pattern 【1】.
- **Attribution:** The attack is attributed to the threat actors behind TeamPCP-linked supply chain campaigns due to technical overlaps, including the cipher implementation, the Russian locale guardrail, and the use of GitHub for staging and exfiltration 【1】.

**What Defenders Should Know:**
Defenders should be vigilant for the following indicators:
- **Suspicious Network Activity:** Monitor for unusual network connections from `npm`, `node`, `bun`, `setup.mjs`, or `execution.js` processes to cloud metadata services (AWS, Azure, GCP) 【1】.
- **GitHub Indicators:** Watch for specific commit messages (`OhNoWhatsGoingOnWithGitHub`, `chore: update dependencies`), repository descriptions (`A Mini Shai-Hulud has Appeared`), and GitHub commit search queries 【1】.
- **File System Modifications:** Be aware of the injected files (`package.json`, `setup.mjs`, `execution.js`) and persistence mechanisms in IDE/AI assistant configurations 【1】.
- **Package Integrity:** Regularly audit npm package dependencies and their installation scripts for unexpected behavior.
The Internet Is Falling Down, Falling Down, Falling Down (cPanel & WHM Authentication Bypass CVE-2026-41940) - watchTowr Labs

A critical **authentication bypass vulnerability**, identified as **CVE-2026-41940**, has been discovered in **cPanel & WHM** 【1】. This vulnerability affects **all currently supported versions** of cPanel & WHM 【1】.

**What Happened:**
The vulnerability lies in how cPanel & WHM handles session loading and saving. Specifically, it allows an attacker to bypass authentication by manipulating the `Authorization: Basic` header. When an attacker sends a crafted header where the decoded `<user>:<pass>` contains `\r\n` within the `<pass>`, these characters are directly written into the session file without proper sanitization 【1】. This bypass allows for unauthorized access to the management plane.

**Who is Affected:**
**All currently supported versions** of cPanel & WHM are affected by this vulnerability 【1】.

**Security Implications:**
The security implications are severe, as this vulnerability has been exploited in the wild as a zero-day 【1】. Attackers can gain unauthorized access to the management plane of a significant portion of the internet that relies on cPanel & WHM. This could lead to a complete compromise of servers and hosted websites.

**Technical Details:**
The vulnerability stems from the `cpsrvd` service, which handles Basic authentication requests. The code responsible for processing the `Authorization: Basic` header decodes the Base64-encoded credentials. The sanitization applied to the password (`set_pass`) only strips NUL bytes, allowing characters like `\r\n` to persist. These characters are then directly written into the session file via `Cpanel::Session::saveSession` without invoking necessary filtering mechanisms 【1】.

**What Defenders Should Know:**
Given that **in-the-wild exploitation has already begun** 【1】, immediate action is crucial. Defenders should **upgrade to the patched versions** of cPanel & WHM as recommended by cPanel 【1】. The specific patched versions are:
* cPanel & WHM 110.0.x - patched in 11.110.0.97
* cPanel & WHM 118.0.x - patched in 11.118.0.63
* cPanel & WHM 126.0.x - patched in 11.126.0.54
* cPanel & WHM 132.0.x - patched in 11.132.0.29
* cPanel & WHM 134.0.x - patched in 11.134.0.20
* cPanel & WHM 136.0.x - patched in 11.136.0.5

Additionally, tools have been released to help defenders **identify vulnerable hosts** within their environments 【1】.
SAP Cloud Build Tool Packaged A Mini Shai-Hulud Malicious Dependency That Uses Bun - semgrep.dev

A coordinated npm supply chain attack, described as "A Mini Shai-Hulud has Appeared," has compromised several SAP development ecosystem packages. The attackers gained access to developer machines and CI environments, stealing credentials and deploying malicious code.

**What Happened:**
Attackers compromised multiple npm packages, including SAP's Cloud MTA Build Tool wrapper (`mbt`) and SQLite adapter for SAP Cloud Application Programming Model (`@cap-js/sqlite`). These malicious packages utilize preinstall hooks to download the Bun JavaScript runtime and execute an obfuscated payload. The attack also involves creating GitHub repositories with the specific description "A Mini Shai-Hulud has Appeared," indicating successful credential theft from affected developer machines or CI environments. The stolen data is then compressed, encrypted using AES-256-GCM, and the AES key is wrapped with an embedded RSA public key.

**Who is Affected:**
The affected packages are:
- `mbt` version `1.2.48` 【1】
- `@cap-js/sqlite` version `2.2.2` 【1】
- `@cap-js/postgres` version `2.2.2` 【1】
- `@cap-js/db-service` version `2.10.1` 【1】

These packages are critical components in common SAP development workflows, making the campaign potentially high-impact for environments where developer machines or CI runners store sensitive information.

**Security Implications:**
The primary security implication is the **theft of sensitive credentials**. The payload targets a wide range of secrets, including:
- GitHub tokens
- npm tokens
- GitHub Actions secrets
- AWS secrets
- Azure Key Vault secrets
- GCP Secret Manager values
- Kubernetes tokens
- Environment variables
- Local developer tooling configurations 【1】

This broad scope of targeted secrets poses a significant risk to the security of SAP development environments and the applications they build.

**Technical Details:**
The malicious packages contain files such as `setup.mjs` and `execution.js` 【1】. The attack leverages preinstall hooks within these packages to download and execute the Bun runtime with an obfuscated payload. The exfiltration process involves creating GitHub repositories with the description "A Mini Shai-Hulud has Appeared," storing results in files under `results/results-<timestamp>-<counter>.json`, and encrypting this data with AES-256-GCM, with the key protected by an RSA public key 【1】.

**What Defenders Should Know:**
Defenders should be vigilant for signs of this attack. This includes:
- **Monitoring GitHub activity** for repositories with the description "A Mini Shai-Hulud has Appeared." 【1】
- **Identifying commits** that contain "OhNoWhatsGoingOnWithGitHub," unexpected `.claude/` or `.vscode/setup.mjs` files, commits titled "chore: update dependencies," or commits authored by `claude <claude@users.noreply.github.com>`. 【1】
- **Searching for result files** under the `results/` directory. 【1】

If any of the affected packages were installed, it is crucial to **rotate secrets broadly**, not just npm tokens. This includes all the types of secrets mentioned in the "Security Implications" section 【1】.