Hybrid Cloud
Cybersecurity
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Banking and Finance
Smart Cities
Public Sector
Cybersecurity Weekly Briefing, 1 May
CVE-2026-3854 allowed remote code execution on GitHub backend servers
Wiz Research identified a remote code execution vulnerability in GitHub’s internal infrastructure, catalogued as CVE-2026-3854 (CVSSv3 8.8), which allowed any authenticated user to execute arbitrary binaries via a `git push` command with push options.
The flaw lies in an injection vulnerability in the internal X-Stat header, a semicolon-delimited protocol used to propagate security metadata between internal services. The babeld proxy inserted user-controlled strings into X-Stat without sanitising them, allowing security fields to be overwritten due to a parser with last-write-wins logic. Exploitation achieved path traversal and the execution of an arbitrary binary as the git user, with full access to the file system.
On GitHub Enterprise Server (GHES), the impact was a complete server takeover; on GitHub.com, an additional flag enabled enterprise-mode behaviour, allowing shared storage nodes to be compromised.
Wiz confirmed that the git user’s permissions allowed reading any repository hosted on the compromised node, regardless of ownership. GitHub patched GitHub.com and released patches for all supported versions of GHES, so an update to GHES 3.19.3 or later is required.
BlackFile steals credentials and extorts money from retail and hospitality businesses using vishing and social engineering
Researchers from Unit 42 and RH-ISAC have identified a new threat actor called BlackFile, also known as CL-CRI-1116, UNC6671 and Cordial Spider. The attacks, targeting organisations in the retail and hospitality sectors, begin with phone calls from spoofed numbers in which the attackers pose as IT support to trick employees into visiting fake login pages, where they enter their credentials and MFA codes for servers such as Salesforce and SharePoint, allowing these to be stolen and then used to extort victims with ransom demands.
Similarities have been observed with groups such as ShinyHunters and possible links to The Com. No specific technical exploits are mentioned, as the attack relies on social engineering, and it is recommended to strengthen identity verification during calls, anti-phishing training and access controls.
Copy Fail: deterministic root escalation in the Linux kernel
Researchers at Theori have discovered a critical privilege escalation vulnerability in the Linux kernel known as Copy Fail (CVE-2026-31431, CVSSv3 7.8 according to kernel.org). The flaw allows any unprivileged local user to reliably and deterministically gain root access via a one-time exploit. It works without modification on multiple distributions (Ubuntu, Amazon Linux, RHEL, SUSE and others) and has remained latent for nearly a decade.
The cause is a logic flaw combining AF\_ALG, the splice() system call and an in-place optimisation introduced in 2017 in algif\_aead.c. This optimisation allowed writing to live pages in the page cache used as a cryptographic destination. A previous bug in authencesn writes 4 bytes out of bounds, allowing modification of page cache data from readable files. The attack can corrupt setuid-root binaries such as /usr/bin/su, achieving execution with maximum privileges.
The vulnerability affects kernels built since 2017 and crosses container boundaries as the page cache is shared. Mitigation involves updating the kernel or disabling the algif\_aead module and blocking AF\_ALG.
TeamPCP compromises Bitwarden CLI with Shai-Hulud
GitGuardian attributes the compromise of the Bitwarden CLI package in the npm repository, detected on 20 April 2026, to TeamPCP. The attack used Shai-Hulud, also tracked as CanisterSprawl, a self-propagating worm targeting development environments. If it fails to reach its primary C2, auditcheckmarxcx, the malware uses GitHub as an alternative C2 by searching for the tag LongLiveTheResistanceAgainstMachines. Shai-Hulud creates repositories on victims’ GitHub accounts to upload encrypted blobs containing exfiltrated credentials.
It also searches for Claude Code, Gemini CLI, Codex CLI, Kiro CLI, Aider and OpenCode to inject code into ~/.bashrc and ~/.zshrc. A confirmed incident began with Dependabot downloading the trojanised Docker image checkmarx/kics:latest on 22 April 2026. The use of Dependabot allowed the payload to be executed in CI with access to repository secrets without human intervention. It is recommended to apply waiting periods before installing new dependency updates.
VECT 2.0: ransomware that unintentionally acts as a wiper
Researchers at Check Point Research have identified VECT 2.0, an evolution of the ransomware first observed in late 2025 under the name vect. In its current version, it has shifted to operating as a Ransomware-as-a-Service (RaaS) model, although it exhibits anomalous behaviour as it unintentionally acts as a wiper on files larger than 128 KB.
This ransomware has been advertised on BreachForums and primarily targets Windows and Linux ESXi environments. It has recently been associated with TeamPCP. Although its aim is to increase the encryption speed for large files, it has a critical flaw, as it reuses the same buffer to generate nonces, causing continuous overwriting, which corrupts the data and limits recovery to approximately 25% of the original file.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
