Threat Analysis: Critical cPanel Exploit, TeamPCP Supply Chain Attacks, and the NCSC's Patch Wave Warning

Threats & Attacks

Threat Analysis: Critical cPanel Exploit, TeamPCP Supply Chain Attacks, and the NCSC's Patch Wave Warning

By Mauven MacLeod ·

Hello, Mauven here.

This is your Daily Threat Analysis for 1st May 2026.

Three items today, all of them connected by the same underlying problem: organisations are running software they haven’t checked, on infrastructure they don’t fully understand, and attackers are exploiting both of those facts simultaneously.

1. Critical cPanel Vulnerability: Active Exploitation, Ransomware Already Reported

CISA added a critical cPanel vulnerability to its Known Exploited Vulnerabilities catalogue today, confirming what security researchers had already suspected: attackers were in before the patches landed.

The reporting from The Register notes that at least one victim has already received a ransomware demand. That is the detail worth sitting with for a moment. This is not a theoretical risk or a proof-of-concept. It is an active ransomware operation targeting a vulnerability in software that powers a significant proportion of web hosting infrastructure globally.

What the advisory doesn’t say plainly enough: cPanel is the control panel interface used by a very large number of shared hosting providers — the kind UK SMBs use for their websites, email hosting, and in some cases their entire digital presence. You may not know whether your hosting provider uses it. You should find out today.

The questions to ask your hosting provider are straightforward:

  • Are you running cPanel, and if so, which version?
  • Have you applied the patch addressing the current KEV-listed vulnerability?
  • Do you have monitoring in place to detect exploitation attempts against our hosted services?

If they cannot answer those questions clearly and promptly, that tells you something about the maturity of their security posture.

One further point. The NCSC has published guidance on supplier and hosting security multiple times over the past several years. The fact that SMBs routinely have no visibility into whether their hosting infrastructure is patched — and often don’t know they should ask — is a structural problem, not an individual failure. But it is one that has consequences in the real world, and today is a good illustration of that.

2. TeamPCP Supply Chain Campaign: Open-Source Tools Systematically Compromised

Between late February and March 2026, threat group TeamPCP conducted a coordinated supply chain operation targeting open-source security tooling and developer infrastructure. The scope of what has now been documented is significant.

Affected packages and tools include:

  • Telnyx Python SDK — malicious versions 4.87.1 and 4.87.2 were published to PyPI. The Telnyx SDK has approximately 750,000 monthly downloads.
  • Trivy and KICS — widely used open-source vulnerability scanners
  • LiteLLM — a popular AI gateway used in development pipelines

The technical execution of the Telnyx attack is worth understanding because it illustrates how much effort TeamPCP put into evasion. The payload was not simply injected into the package code. Instead, the attack used a three-stage architecture: a trojanised package triggered a platform-specific loader, which downloaded a second-stage payload hidden inside a WAV audio file using steganography, which then deployed a credential harvester. That harvester stole stored credentials, encrypted them, and exfiltrated them to attacker-controlled infrastructure.

Steganography — hiding malicious code inside innocuous-looking media files — is not a technique used by opportunistic attackers. It requires deliberate planning and a specific interest in evading detection. The fact that TeamPCP used it here, combined with the targeting of security tooling specifically, suggests this group has a reasonably sophisticated understanding of how defenders operate and is actively trying to stay ahead of detection.

The CVE associated with this campaign is CVE-2025-55182.

What this means for UK SMBs:

If your business uses any managed service provider, web developer, or IT support contractor who works in Python environments or uses open-source security scanning tools, you have indirect exposure here. The credential theft payload doesn’t just target the developer’s machine — it targets whatever credentials are accessible from that machine. That could include cloud provider API keys, GitHub tokens, database credentials, and access to client environments.

This is not hypothetical. The SAP npm package compromise — a separate but contemporaneous supply chain operation — used a similar approach to harvest CI/CD secrets and developer credentials from GitHub and major cloud providers. Supply chain attacks are no longer the preserve of nation-state campaigns against critical infrastructure. They are a standard tactic.

The advisory attributes the Telnyx attack clearly to TeamPCP. What it does not say explicitly is that the targeting of security tooling specifically — Trivy, KICS — represents an attempt to compromise the instruments defenders use to detect compromise. That is a meaningful escalation in ambition.

3. NCSC Patch Wave Warning: Read Between the Lines

This morning the NCSC published a blog by their CTO, Ollie Whitehouse, warning organisations to prepare for what they are calling a ‘vulnerability patch wave’ — a coming surge of patches that will address, in their words, decades of technical debt.

The surface reading of this is sensible patching hygiene advice. The NCSC has published guidance on patching since the organisation’s inception. The fact that they are publishing it again in 2026 tells you everything about how seriously organisations are taking it.

But there is a more specific inference worth drawing here. When the NCSC publishes this kind of forward-looking warning — not ‘here is a vulnerability, patch it’ but ‘prepare yourself, a wave is coming’ — it is almost always because they are already observing activity in the threat landscape that they cannot fully disclose publicly. The cPanel exploitation landing on CISA’s KEV list on the same day is not coincidental context.

The practical implication for UK SMBs is this: if your patching process involves waiting for your IT provider or MSP to get around to it, or if you have a policy of testing patches for several weeks before deployment, you need to have a direct conversation about what your current backlog looks like. Not next month. This week.

The NCSC blog specifically calls out organisations carrying legacy technical debt. Many UK SMBs run on infrastructure that was set up years ago and has been maintained reactively rather than proactively. That is the population most exposed when a patch wave arrives.

What To Do Today

If you use shared web hosting:

  • Contact your hosting provider and ask specifically whether they use cPanel and whether they have patched the currently exploited vulnerability
  • If they cannot confirm patching status within 24 hours, escalate or consider alternatives

If you use an MSP, developer, or IT contractor:

  • Ask whether their development or tooling environment uses PyPI packages
  • Ask whether they have audited their open-source dependencies since March 2026
  • Ask whether any credentials stored in their development environment have access to your systems

On patching generally:

  • Ask your IT provider or MSP for a current patching status report
  • Specifically ask about any unpatched critical or high-severity vulnerabilities across your internet-facing systems
  • If you don’t have visibility into your own patch status, that is the first problem to solve

The NCSC has published guidance on all of these areas. The gap is not information. The gap is action.

Sources

SourceTitleURL
The RegisterFirst reports come in of victims of critical cPanel vuln as ‘millions’ of sites potentially exposedhttps://www.theregister.com/2026/05/01/critical_cpanel_vuln_hits_cisa/
NCSCPreparing for a ‘vulnerability patch wave’https://www.ncsc.gov.uk/blogs/prepare-for-vulnerability-patch-wave
Palo Alto Unit 42Weaponizing the Protectors: TeamPCP’s Multi-Stage Supply Chain Attack on Security Infrastructurehttps://unit42.paloaltonetworks.com/teampcp-supply-chain-attacks/
HexastrikeRinging in Chaos: How TeamPCP Weaponized the Telnyx Python SDKhttps://hexastrike.com/resources/blog/threat-intelligence/ringing-in-chaos-how-teampcp-weaponized-the-telnyx-python-sdk
Trend MicroTeamPCP’s Telnyx Attack Marks a Shift in Tactics Beyond LiteLLMhttps://www.trendmicro.com/en_us/research/26/c/teampcp-telnyx-attack-marks-a-shift-in-tactics.html
CISAKnown Exploited Vulnerabilities Cataloghttps://www.cisa.gov/known-exploited-vulnerabilities-catalog

Filed under

  • smb-security
  • uk-business
  • supply-chain-risk
  • ransomware-groups
  • vendor-risk
  • incident-response
  • compliance-failure