CVE-2026-3854HandsGHESRCEasLLMsAuto-Exploit98%ofKEV

◆ DEEP DIVES

1. 01

   CVE-2026-3854 + Copy Fail + Claude Code: Three Emergency Patches Before Week's End

   The Triage

   Three critical-severity bugs this cycle. One in the code host, one in the kernel, one in the coding agent. All three have public PoCs or in-the-wild activity. None survive a routine change window.

   ---

   CVE-2026-3854 — GitHub Enterprise Server RCE

   Reported by Wiz. CVSS 8.7. The vulnerable component is GitHub's babeld service. Mechanism: semicolons in git push option values override rails_env, custom_hooks_dir, and repo_pre_receive_hooks. Chaining those three escapes the pre-receive sandbox and executes arbitrary binaries as the git service user. GitHub.com was patched in six hours. 88% of self-hosted GHES instances have not patched.

   Blast radius covers Actions runners, deploy keys, cached PATs, every secret, every repository. The entry point is anyone with push access: developers, CI service accounts, authenticated forks. Fixed versions: 3.14.24 / 3.15.19 / 3.16.15 / 3.17.12 / 3.18.6 / 3.19.3.

   If the GHES instance sits in the unpatched 88%, treat every push-capable account as a live attack path until the upgrade lands.

   CVE-2026-31431 — 'Copy Fail' Linux Kernel LPE

   A nine-year-old flaw in the kernel's algif_aead crypto module. The public PoC is a 732-byte Python script that lifts any unprivileged local user to root. No per-distro tuning. The exposure lands hardest on multi-tenant container environments: one compromised workload breaks namespace and cgroup isolation, reaching kubelet credentials and neighbor-tenant data. Remediation is patch the kernel or blacklist the module — echo 'install algif_aead /bin/true' > /etc/modprobe.d/disable-algif_aead.conf, rebuild initramfs, reboot.

   CVE-2026-39861 — Claude Code Sandbox Escape (CVSS 10.0)

   Claude Code below version 2.1.64 ships a symlink-based sandbox escape. A crafted workspace causes the agent to read and write files outside the project root. On a developer laptop that reaches SSH keys, cloud credentials, and local secrets. Push updates to ≥2.1.64 via MDM. Audit shell history and workspace dirs for symlink artifacts.

   ---

   What Connects Them

   All three convert implicit trust in routine developer workflows — pushing code, running a container, opening a workspace — into full compromise. EDR does not inspect git push options. SAST does not see kernel modules. Nobody monitors symlink creation in agent workspaces. The attack surface is the developer toolchain, and each bug sits at a different layer of the same stack.

   Action items

   • Patch GHES to 3.14.24 / 3.15.19 / 3.16.15 / 3.17.12 / 3.18.6 / 3.19.3 — emergency change window today
   • Post-patch: rotate all Actions runner tokens, deploy keys, and cached PATs; hunt babeld logs for semicolons in X-Stat headers
   • Patch Linux kernels or blacklist algif_aead on all container hosts and multi-tenant infrastructure by Friday
   • Force Claude Code update to ≥2.1.64 via MDM; audit developer workspaces for out-of-root symlinks
   • Add detection for AF_ALG socket creation by unprivileged UIDs and unexpected setuid transitions on container hosts

   Sources:TLDR InfoSec · SANS AtRisk · Daniel Miessler · Clint Gibler · CSO First Look · CSO Update

2. 02

   MOAK + Mythos: AI-Accelerated Exploitation Rewrites Every Patch SLA You Have

   The Numbers That Changed

   Three data points this cycle retire every vulnerability management SLA written before 2026:

   1. MOAK (Mother of All KEVs) used publicly available Opus 4.6 and GPT-5.4 to produce working exploits for 174 of 178 CISA KEV entries published after model training cutoffs, a 98% success rate. Memorization is ruled out. The models are reasoning about novel vulnerabilities from advisory text.
   2. LiteLLM CVE-2026-42208, a pre-auth SQLi exposing provider API keys, was weaponized in 36 hours with no public PoC. LMDeploy SSRF was exploited in 12.5 hours. The accelerant is the LLM.
   3. Anthropic's Mythos, described by Anthropic as capable of enabling 'dangerous cyberattacks,' was accessed by unauthorized users on the same day as its limited release. The NSA is reportedly operational with it. Reportedly.

   Public LLMs autonomously exploit 98% of known-exploited vulnerabilities for the price of an API call. The 30-day patch SLA is a legacy artifact.

   ---

   What This Means Operationally

   The old assumption was that most KEV entries never see mass exploitation. At 98% autonomous exploit generation, the economic gap between N-day and zero-day is closed. Any internet-exposed asset running a KEV-listed vulnerability is exploitable at commodity cost.

   XBOW's numbers corroborate. GPT-5.5 dropped its internal miss rate from 40% to 10%, with black-box performance exceeding what GPT-5 achieved with source code access. Palo Alto's Zealot agent autonomously chained SSRF → GCP IMDS → BigQuery → IAM escalation → exfiltration and improvised SSH key persistence without instruction.

   HackerOne's decision to pause the Internet Bug Bounty is the institutional admission: 'AI-assisted research is expanding vulnerability discovery... the balance between findings and remediation capacity in open source has substantively shifted.' Discovery has outrun remediation.

   ---

   The Mythos Wildcard

   Sources disagree on Mythos's operational status. Publicly confirmed: Anthropic received a Pentagon 'supply chain risk' designation, the White House blocked expansion to roughly 70 organizations, and unauthorized access occurred on day one. Reported but unverified: deployment at the NSA with autonomous zero-day discovery across every major OS and browser. Treat the second set as rumor until it is not. The capability description itself is a specification competitors will replicate.

   Working assumption: at least one nation-state-adjacent group fields a Mythos-equivalent inside 6–12 months. Plan accordingly.

   ---

   The SLA Math

   Era	Discovery-to-Exploit	Viable Patch SLA
   Pre-2024	Days to weeks	30 days (CISA BOD 22-01)
   Early 2026	12–36 hours (LMDeploy, LiteLLM)	72 hours for internet-exposed
   MOAK-class (now)	Hours from advisory text	48 hours or compensating control

   The gap between 'advisory published' and 'working exploit available to any attacker with an API key' has collapsed to the time it takes to run an inference call. Patch velocity is a perimeter control now, not a hygiene metric.

   Action items

   • Rewrite KEV-linked patch SLAs to 72 hours for internet-exposed assets and 48 hours for critical/high CVEs with detailed advisories
   • Stand up automated daily KEV-to-asset cross-referencing against your CMDB; alert on any match without a patch ticket
   • Expand virtual patching and WAF compensating controls for edge systems that cannot meet 72-hour windows
   • Inventory and rotate all OpenAI, Anthropic, and Bedrock API keys that transited LiteLLM or LMDeploy proxies
   • Brief the CISO for board escalation: the offense/defense balance has tipped and HackerOne pausing IBB is the first institutional admission

   Sources:Clint Gibler · TLDR InfoSec · Techpresso · Future Perfect · Last Week in AI · SANS AtRisk

3. 03

   SAP npm Hijack Joins the TeamPCP Cascade: Supply Chain Under Sustained Fire

   Two Active Supply Chain Incidents, One Response Window

   Two distinct supply chain compromises landed in the same 48-hour window. Both target the CI/CD pipeline. Both exfiltrate cloud credentials. Both require action today.

   ---

   SAP npm Maintainer Takeover — April 29

   Attackers compromised SAP npm maintainer accounts and published four malicious packages carrying an 11MB credential stealer. The payload harvests AWS, Azure, GCP, and GitHub tokens via preinstall hooks. Persistence uses VS Code task injection. Lateral movement leverages OIDC token abuse to cross CI/CD boundaries. SAP's namespace sits inside enterprise build pipelines that security teams often do not own.

   This is textbook Shai-Hulud lineage: maintainer credential theft → preinstall hook → stealer → cloud credential exfil → OIDC pivot. The same playbook that hit the 2026 wave of compromised packages, but targeting a trusted enterprise namespace for maximum blast radius.

   Update: TeamPCP/UNC6780 → Bitwarden CLI Cascade

   Google GTIG formally tracks the actor as UNC6780, with their credential stealer designated SANDCLOCK. After a 26-day operational pause, TeamPCP executed a triple-ecosystem compromise on April 21–22:

   • npm: self-propagating worm (CanisterSprawl)
   • PyPI: xinference package
   • Docker Hub: checkmarx/kics repository

   The Docker Hub compromise cascaded: Bitwarden's Dependabot automation pulled the malicious checkmarx/kics:latest image into Bitwarden CI/CD, producing compromised @bitwarden/cli version 2026.4.0. Any pipeline that pulled this version between April 21–23 should be treated as token-exposed.

   A compromise of one security tool, automatically propagated by a dependency-update bot, lands in a downstream security product used by thousands of enterprises. The supply chain amplification pattern we've been warning about is now in production.

   ---

   The Pattern Worth Naming

   The 2026 supply chain wave — Bitwarden CLI, Trivy, LiteLLM, Telnyx, Axios, Vercel, and now SAP — shares one class of root cause: install-time script execution inside trusted build contexts. Pinning and SBOMs do not cover the package manager's own lifecycle hooks. The distinction between 'dependency' and 'code execution' collapses at npm install.

   Separately, cPanel shipped an emergency patch for a critical authentication bypass affecting all supported versions. Namecheap preemptively blocked TCP 2083/2087 across its fleet — a signal of mass-exploitation risk. Patch to 11.136.0.5 or 11.134.0.20.

   ---

   The Acceleration Metric

   Datadog's 2026 DevSecOps report finds half of organizations install a new dependency within 24 hours of release — the exact window where typosquats and compromised-maintainer pushes live undetected. Combined with HackerOne pausing the Internet Bug Bounty because AI-assisted disclosure outpaces remediation, the OSS dependency tree is accumulating unfixed vulnerabilities faster than maintainers can respond.

   Action items

   • Grep all lockfiles (package-lock.json, yarn.lock, pnpm-lock.yaml) for the four malicious SAP-linked npm packages published Apr 29; treat any match as credential compromise
   • Rotate all cloud keys, GitHub PATs, and OIDC trust policies for any CI runner that pulled SAP or Bitwarden CLI packages between April 21–29
   • Pin all Docker images by digest and disable Dependabot auto-merge for security tooling dependencies this sprint
   • Default-deny install-time scripts in CI (npm --ignore-scripts, pip --no-build-isolation) and evaluate verified-source rebuild pipelines
   • Patch cPanel to 11.136.0.5 / 11.134.0.20; block TCP 2083/2087 at perimeter if delayed

   Sources:TLDR IT · SANS AtRisk · Daniel Miessler · TLDR InfoSec · Clint Gibler