Loading roundtable session...

Expert Roundtable — April 30, 2026 morning | Halil Öztürkci

Cyber Threatcast Roundtable

Session CRT-20260430 — 30 April 2026 · Morning Edition

REACTIVE LOOP

Today's threat landscape is dominated by CVE-2026-31431 ("Copy Fail"), a Linux kernel privilege escalation with public exploit code that reportedly works across all major distributions since 2017, enables container escape, and leaves no on-disk forensic traces — making it the most operationally urgent item this cycle.

39m 41s

Duration

12

Agents

21

Messages

168

Sources

5

Actions

View Briefing →

12 AGENTS

Halil Öztürkci

James Okafor

Dr. Elena Rossi

Pierre Lefevre

Lena Hartmann

Dr. Sofia Andersen

Alex Mercer

Dr. Arjun PatelSPEC

Isabelle MoreauSPEC

Sara KovacsSPEC

Rafael CostaSPEC

Tomas IlicSPEC

OPENINGModerator Briefing—

Halil ÖztürkciOPENING

Four critical items dropped overnight that aren't in the briefing's top five. That's where we're spending our time today.

First — CVE-2026-31431. A Linux kernel local privilege escalation with a public PoC. Page-cache corruption via splice(), root without on-disk traces, universal attack surface. Every container host, every Kubernetes node, every CI/CD runner. Alex, Sara — I'm going to need you on this immediately.

Second — LiteLLM. CVE-2026-42208, pre-auth SQL injection, actively exploited within 36 hours of disclosure. Attackers are harvesting stored AI API keys. There's a thread connecting this to TeamPCP and the VECT 2.0 wiper. Arjun, this is yours.

Third — four SAP npm packages compromised with a Bun-based stealer. 572,000 weekly downloads. Self-propagating. Enterprise SAP dev teams are exposed right now.

Fourth — that OpenSSH auth bypass, CVE-2026-35414. Fifteen years of exposure, unauthenticated root, and zero log traces. The attack complexity is high, which tempers the panic, but the retroactive blind spot is what worries me.

We're not reopening ScreenConnect, the Windows Shell NTLM story, or Rockwell PLCs — all covered. The Mythos 271-bug Firefox story gets a focused delta on patch urgency and what the 12x capability jump means for planning, not a background recap.

Let's split into parallel tracks. I want answers fast.

ACTION 1Parallel DispatchDISPATCH PARALLEL9m 55s

Halil→Alex Mercer

Alex MercerSenior Offensive Security Researcher

MODERATOR DIRECTIVE

Alex, two urgent items. FIRST: CVE-2026-31431 ('Copy Fail') — Linux kernel LPE via splice()/algif_aead page-cache corruption. Public PoC is a 732-byte Python script, no race conditions, works unmodified across Ubuntu 24.04, Amazon Linux 2023, RHEL 14.3, SUSE 16. A C port covers x86_64, ARM, AArch64, RISC-V. Enables Kubernetes container escape via setuid binary corruption across tenant boundaries. Mainline fix committed April 1 — what's the distro patch status? What detection strategies exist given no on-disk modification? Assess weaponization timeline. SECOND: CVE-2026-35414 OpenSSH auth bypass — CVSS 8.1, AC:H. Mishandles authorized_keys principals with CA comma characters. 15-year exposure window, unauthenticated root, zero log traces. How realistic is exploitation given AC:H? What does the 'specific comma character usage' condition actually mean in terms of how many real-world deployments are vulnerable?

Alex Mercer did not finish before the per-action time budget expired.

Halil→Dr. Arjun PatelSPECIALIST

Dr. Arjun PatelAI Security Researcher & Adversarial ML Specialist[13 sources]

MODERATOR DIRECTIVE

Arjun, two items for you. FIRST — LiteLLM CVE-2026-42208 update: Yesterday we established the 36-hour exploitation timeline and you recommended against rip-and-replace. TODAY's delta: what's the current patch status (v1.83.7), are organizations actually rotating their stored AI API keys, and what's the connection to TeamPCP/VECT 2.0 wiper? The open question from yesterday was whether this exploitation is attributable to a sophisticated group or commodity tooling — do we have an answer now? SECOND — Mythos/Firefox delta: 271 zero-days found in Firefox, all patched in Firefox 150 this week. This is the 12x jump from Opus 4.6's 22 bugs. Skip background — we've debated Mythos capability for weeks. What does this concrete 271-bug number mean for the defensive planning timelines we discussed? Does this validate or invalidate the Stamos six-month window estimate for open-weight replication? What's the actual Firefox 150 deployment urgency given that adversaries now know 271 specific bug classes existed?

The data is clear now. I need to be very precise in my response — particularly on the attribution question and what this means for defensive timelines.

LiteLLM CVE-2026-42208 Update:

On the patch status — v1.83.7 is confirmed released and stable (per Sysdig and THN sources, dated April 19). The critical detail from yesterday holds: exploitation began within 26-36 hours of disclosure on April 24, with two IPs from the same operator conducting schema enumeration followed by targeted credential extraction from litellm_credentials and litellm_config tables. The attackers aren't just spray-and-praying — they're querying specific high-value tables containing upstream LLM provider keys.

On attribution — this is NOT TeamPCP directly. The SQLi exploitation appears to be commodity tooling or copycat activity, not the same actor behind the March supply chain compromise. TeamPCP's pattern is maintainer account takeovers and malicious PyPI uploads (the 1.82.7/1.82.8 backdoor). CVE-2026-42208 exploitation is opportunistic network-based SQLi against unpatched proxies — different TTPs entirely.

However, the TeamPCP/VECT connection is what's concerning: Check Point confirms VECT RaaS formally partnered with TeamPCP, and the wiper functionality was Iran-targeted. If VECT operators are now integrating stolen AI API keys into their access broker pipeline, we could see a pivot from the supply chain victims (already confirmed: Mercor breach, 4TB exfiltrated) toward AI infrastructure monetization. The SQLi exploitation gives attackers direct access to OpenAI, Anthropic, and Bedrock credentials — that's cloud account compromise at scale.

On key rotation — I have no evidence organizations are actually rotating keys at scale. Wiz documented TeamPCP's post-compromise behavior: they validate stolen credentials with TruffleHog and pivot to AWS enumeration within 24 hours. If you're running LiteLLM versions 1.81.16-1.83.6 internet-facing and haven't patched: assume your AI API keys are burned. Rotate immediately and audit upstream provider usage logs for anomalous consumption.

My guidance remains: patch-or-isolate is the only viable control. Detection without patching won't save you — the exploitation is pre-auth and the exfiltration happens in a single request.

Mythos/Firefox 150 — What 271 Bugs Actually Means:

Look, the 271 number validates what we suspected about AI-assisted vulnerability discovery capability, but we need to parse what actually happened here. Mozilla's own statement is crucial: "We haven't seen any bugs that couldn't have been found by an elite human researcher." This isn't a new bug class revelation — it's an economics and throughput revolution.

The Opus-to-Mythos jump from 22 to 271 vulnerabilities represents roughly a 12x improvement in discovery rate, not capability quality. Per Mozilla, Mythos achieved this in "initial evaluation" — meaning weeks, not months of human researcher time. Firefox CTO Bobby Holley's framing is instructive: defenders "finally have a chance to win, decisively" because we can exhaust the finite pool of code defects faster than attackers can weaponize them.

On Stamos's six-month window for open-weight replication — this partially validates but should refine the estimate. The Mozilla exercise used Anthropic's restricted Project Glasswing access, not an open-weight model. The 271 bugs demonstrate that frontier AI models already have this capability. The open-weight replication question is about when Mistral, Llama, or DeepSeek equivalents match this performance without safety constraints. My assessment: Stamos's six-month estimate was optimistic for full exploit chain automation, but pessimistic for vulnerability discovery specifically. The bottleneck for attackers isn't finding bugs — it's reliable exploitation. Mythos demonstrated 72.4% exploit success rate on Firefox, per CSA materials, which is far higher than what open-weight models have shown.

For defensive planning — Firefox 150 deployment is emergency-priority. Here's why: adversaries now know 271 specific bug classes existed in Firefox 149 and earlier. Even with responsible disclosure holding back technical details, the sheer scope tells sophisticated attackers where to look. Mozilla compressed the exposure window significantly through the Glasswing partnership, but any organization still on Firefox 149 or earlier is running code with 271 known-defective patterns.

The strategic implication: we're entering a transitory bootcamp period where defenders with Glasswing access can patch faster than ever, but organizations without those relationships face an accelerating discovery-exploitation gap. Firefox 150 isn't a regular patch cycle — it's a defensive line in the sand.

James wasn't available to confirm detection coverage, but based on what I'm seeing: standard SQLi detection won't catch the Authorization header injection targeting AI-specific tables. The behavior is too application-contextual for generic signatures.

Sources:

[0]www.bleepingcomputer.com

[1]thehackernews.com

[2]www.sysdig.com

[3]research.checkpoint.com

[4]www.wired.com

[5]blog.mozilla.org

[6]thenextweb.com

[7]labs.cloudsecurityalliance.org

[9]securityboulevard.com

Halil→James Okafor

James OkaforSenior Defense Architect & Incident Response Lead

MODERATOR DIRECTIVE

James, three items need your defensive lens. FIRST: CVE-2026-31431 Linux kernel 'Copy Fail' — 732-byte PoC, no race conditions, container escape capability. Mainline kernel fix exists (April 1 revert). Interim: blacklist algif_aead module. Give me a prioritized response playbook: patch vs. module blacklist vs. detection. What's the container/Kubernetes triage order? SECOND: SAP npm supply chain compromise — four packages (@cap-js and mbt ecosystem) compromised with Bun-based stealer, self-propagating, ~572K weekly downloads. What's the lockdown guidance for enterprise SAP dev teams? Also note 'agents-a365-runtime' as another malicious npm package for the same supply-chain segment. THIRD: Quick mention only — Huntress IOCs for 'SlashAndGrab' ScreenConnect campaign and bundled Windows Shell NTLM-relay CVE. Just flag the IOC source for defenders, no full discussion needed.

James Okafor did not finish before the per-action time budget expired.

Halil→Lena Hartmann

Lena HartmannSenior Threat Intelligence Analyst[12 sources]

MODERATOR DIRECTIVE

Lena, two items. FIRST: LiteLLM CVE-2026-42208 — yesterday we had an open question about whether the exploitation campaign is attributable to TeamPCP or commodity tooling. The VECT 2.0 wiper connection was flagged. What's your current attribution confidence? Is TeamPCP operationalizing the stolen API keys through VECT 2.0, or are we seeing a handoff to a different actor? SECOND: ShinyHunters ADT dump — 5.5M records now public via HIBP, partial SSNs confirmed. This is ADT's third breach. Skip vishing basics — we covered this. What's the operator-relevant delta now that the data is public? Any indication of secondary monetization or fraud campaigns using this data?

LiteLLM CVE-2026-42208 & VECT 2.0 Attribution:

TeamPCP conducted the March supply chain compromise of LiteLLM (versions 1.82.7-1.82.8), harvesting 500,000+ credentials. Then CVE-2026-42208 — a separate SQL injection flaw disclosed April 24 — saw exploitation within 36 hours by actors using IPs in adjacent /22 blocks with identical Python/aiohttp user-agents, strongly suggesting a single operator rotating egress addresses.

Check Point Research confirms VECT ransomware announced a formal partnership with TeamPCP after their March supply chain attacks. The same actors are operationalizing stolen credentials through this RaaS/wiper program. The SQLi exploitation targets LiteLLM credential tables — exactly the asset class TeamPCP harvested in March.

I'm at moderate confidence that CVE-2026-42208 exploitation represents the same cluster (TeamPCP/VECT partnership) rather than a commodity handoff. The IP block adjacency, consistent user-agent, and targeting specificity all point to sustained operational control, not an open-market brokered transaction. The shared IP infrastructure strongly indicates this is a single entity moving laterally across exploitation vectors — TTP consistent with G0125 (ITG23) style wholesale access brokering, but specifically here it's TeamPCP monetizing via their VECT alliance.

ShinyHunters ADT Dump — Operator Delta:

ADT's third breach, this one via Okta SSO compromise (vishing targeting). The 5.5M record disclosure via HIBP changes the operational picture significantly.

What matters now: The data is confirmed public with partial SSN exposure. This is ShinyHunters' typical playbook — exfiltrate, extort, dump when payment fails. The data set includes home addresses tied to security system customers — a targeting goldmine for physical-social engineering follow-on.

Active secondary fraud campaigns using this specific dump haven't surfaced in open sources yet, but the exposure pattern is textbook: ShinyHunters (UNC6240 per Mandiant/Google TAG) runs a data brokerage operation alongside direct extortion. The 11GB dump being public means downstream buyers now have it — expect phishing campaigns against customers masquerading as ADT "breach remediation" or identity protection services. The partial SSNs are sufficient for synthetic identity construction when combined with DOB and address data.

This is consistent with the broader Salesforce Data Exfiltration campaign (MITRE C0059) — vishing → SSO compromise → SaaS data theft. ADT is just the latest victimology node.

The open question remains whether the operators behind the Okta compromise are the same as those selling/operating under the ShinyHunters brand, or if this is an access-actor-to-extortion-actor handoff. Based on prior cases, my read is UNC6040 (vishing crew) providing access to UNC6240 (ShinyHunters extortion).

Halil→Rafael CostaSPECIALIST

Rafael CostaOSINT & External Threat Intelligence Investigator

MODERATOR DIRECTIVE

Rafael, I need you on the SAP npm supply chain compromise. Four packages in the @cap-js and mbt ecosystem compromised with a Bun-based stealer — reportedly self-propagating with a 'dead-drop repo' technique. ~572K weekly downloads affected. Can you map the infrastructure: what are the affected package versions, what's the dead-drop repo, what IOCs can you pull? Is this connected to the broader npm supply chain pattern we've been tracking (TeamPCP, elementary-data, etc.)?

Rafael Costa did not finish before the per-action time budget expired.

Halil→Pierre Lefevre

Pierre LefevreSenior Cyber Risk Analyst

MODERATOR DIRECTIVE

Pierre, two items. FIRST: CVE-2026-31431 Linux kernel 'Copy Fail' — affects every major Linux distro since 2017, container escape capability, 732-byte PoC. Give me the blast radius in business terms: how many cloud workloads, Kubernetes clusters, CI/CD pipelines are exposed? What's the financial exposure window? SECOND: SAP npm compromise — 572K weekly downloads across @cap-js and mbt packages. SAP enterprise dev teams are the target. What's the downstream business impact for organizations running SAP on cloud? How many enterprises are likely affected?

Pierre Lefevre did not finish before the per-action time budget expired.

Halil→Dr. Sofia Andersen

Dr. Sofia AndersenCyber Law & Compliance Expert

MODERATOR DIRECTIVE

Sofia, two quick items. FIRST: The Mythos 271 Firefox zero-day story — from a regulatory perspective, does this AI-discovered vulnerability scale create any new disclosure or governance obligations? We had an open question from prior sessions about whether EU dual-use AI implementing acts would materialize. Any update? SECOND: Quick flag — CERT-In issued a 2026 advisory on AI cyber threats and Microsoft vulnerabilities targeting Indian banking. Is this a meaningful regulatory signal or routine advisory? Link to our prior AI-threat coverage.

Dr. Sofia Andersen did not finish before the per-action time budget expired.

Halil→Dr. Elena Rossi

Dr. Elena RossiGeopolitical Strategist & Cyber Conflict Researcher

MODERATOR DIRECTIVE

Elena, the CERT-In 2026 advisory on AI cyber threats targeting Indian banking infrastructure — is this a meaningful geopolitical signal or routine advisory noise? Any connection to broader state-actor campaigns we've been tracking? Brief assessment only.

Dr. Elena Rossi did not finish before the per-action time budget expired.

Halil ÖztürkciCHECKPOINT

Alright, let me take stock of where we are, because we dispatched a wide net across the panel and got uneven returns — some experts delivered substantive analysis, while several hit our time constraints before completing their responses. That's important context for what follows.

The clearest signal we got back comes from Arjun and Lena, both converging on the LiteLLM CVE-2026-42208 situation. Arjun confirms that patch v1.83.7 is released and stable as of April 19, which is the good news. The more consequential finding is the attribution picture sharpening around the exploitation campaign. Arjun draws a clear line between the March supply chain compromise — that was TeamPCP's work, hijacking maintainer accounts and pushing backdoored PyPI packages — and the current SQLi exploitation of CVE-2026-42208, which he characterizes as different TTPs entirely, likely commodity or copycat activity. But then he flags the TeamPCP-to-VECT 2.0 connection as the real concern, and that's where Lena picks up with more granular intelligence. She notes the exploiting IPs sit in adjacent /22 blocks with identical Python/aiohttp user-agents, which suggests a single operator rotating egress rather than independent actors. Check Point apparently confirms VECT ransomware announced a formal partnership with TeamPCP after the March attacks. Lena lands at moderate confidence that the CVE-2026-42208 exploitation is the same TeamPCP/VECT cluster sustaining operations, not a commodity handoff. So we have a slight divergence — Arjun leans toward separate actors, Lena toward continuity — but both agree the credential tables being targeted are exactly what TeamPCP harvested in March. That convergence on targeting specificity matters even if the attribution question isn't fully resolved.

Now, I want to be transparent: Alex, James, Rafael, Pierre, Sofia, and Elena all ran out of time before completing their responses. That means we have significant gaps on the Linux kernel Copy Fail defensive playbook, the SAP npm supply chain infrastructure mapping, the business blast radius assessment, the regulatory implications of AI-discovered vulnerabilities, and the CERT-In geopolitical signal. Those aren't lost questions — they're deferred.

We're turning now to James and the broader panel to pick up exactly what we're missing, starting with the kernel vulnerability response playbook and the Kubernetes exposure question, which is operationally urgent given the container escape capability of that 732-byte PoC.

ACTION 2Parallel DispatchDISPATCH PARALLEL4m 5s

Halil→James Okafor

James OkaforSenior Defense Architect & Incident Response Lead

MODERATOR DIRECTIVE

James, focused on two items. FIRST: CVE-2026-31431 Linux kernel 'Copy Fail' — give me a prioritized IR playbook: patch vs. blacklist algif_aead vs. detection. What's the Kubernetes/container triage order? SECOND: SAP npm supply chain — four @cap-js and mbt packages compromised with Bun-based stealer, ~572K weekly downloads, self-propagating dead-drop technique. Also note malicious 'agents-a365-runtime' package. What's the lockdown guidance for enterprise SAP dev teams?

Right, let me give you the immediate action playbook for both.

CVE-2026-31431 "Copy Fail" – Defensive Priority Matrix

The intelligence I'm seeing is serious: a 732-byte Python PoC (confirmed by Xint disclosure) can achieve root privileges on Linux kernels with the 2017 commit 72548b093ee3 — this covers most mainstream distributions. The exploit uses AF_ALG socket operations with splice() for page-cache mutation. No kernel offsets or race conditions required for the Python version, though a C port exists for broader architecture support.

CRITICAL (do today):

Blacklist the algif_aead module on production hosts — This buys you immediate protection with zero downtime:
```
echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf
rmmod algif_aead 2>/dev/null || true
```
Test in staging first — workloads using cryptographic sockets directly may be affected, though most containerized applications won't notice.
Container/Kubernetes triage order:
- First: Any multi-tenant cluster where pods run as non-root — this flaw bypasses that isolation entirely. Blacklist the module on all nodes before patch rollout.
- Second: CI/CD build agents and dev environments — highest risk for exploitation, lowest business impact if module fails.
- Third: Production workloads with sensitive credential access.

HIGH (this week):

Deploy kernel patches from your distro (Ubuntu, RHEL, Amazon Linux all have fixes in flight). Mainline fix went in April 1 via commit a664bf3.
Detection via Falco/auditd: Monitor for splice() syscalls combined with AF_ALG socket creation. The PoC uses socket(AF_ALG, SOCK_SEQPACKET, 0) followed by splice() with /usr/bin/su or similar setuid binaries. Note: I don't have verified false positive rates for this detection — tune in your environment before production deployment.

MEDIUM (schedule):

Long-term: Move sensitive workloads to kata-containers or VM-based isolation where host kernel compromise is contained.

SAP npm Supply Chain Compromise – Enterprise Lockdown

Four confirmed compromised packages with approximately 572K combined weekly downloads — this is a live campaign. TeamPCP attribution per Wiz and Socket research, using Bun-based runtime evasion. The "Mini Shai-Hulud" malware uses preinstall hooks to drop Bun, then harvests GitHub tokens, npm credentials, AWS/Azure/GCP keys, and Kubernetes secrets — exfiltrating via GitHub repo creation as a dead drop.

CRITICAL (do today):

Immediate package audit — Check for these exact versions in package-lock.json:
- mbt@1.2.48
- @cap-js/sqlite@2.2.2
- @cap-js/postgres@2.2.2
- @cap-js/db-service@2.10.1
- agents-a365-runtime@1.3.8 (separate malicious package, flagged by Socket Security)
Credential rotation blast radius — If ANY of these packages touched your environment, assume compromise:
- Rotate all GitHub personal access tokens and Actions secrets
- Rotate npm registry tokens
- Rotate AWS/Azure/GCP credentials from build agents
- Rotate Kubernetes service account tokens from CI/CD runners

HIGH (this week):
3. CI/CD containment — The malware propagates by infecting packages under compromised developer accounts:

Block outbound egress in build runners except to your package registry
Pin all dependencies and move to npm ci with locked package-lock.json
Enable package verification with Sigstore/cosign where available

Self-propagation detection — Hunt for:
- Newly created GitHub repositories with description "A Mini Shai-Hulud has Appeared"
- Bun runtime downloads in CI logs (unexpected binary fetches from GitHub releases)
- Preinstall/postinstall script execution during npm install

MEDIUM (schedule):
5. Architectural shift — This is the second major TeamPCP supply chain hit in a month. Move to private registry proxies with approval workflows for external packages.

Halil ÖztürkciCHECKPOINT

Thank you, James — that's exactly the kind of actionable specificity we needed on the Linux kernel side, even though we got cut short before he could finish the SAP supply chain portion. Let me frame what we just gained.

On CVE-2026-31431, the "Copy Fail" vulnerability, James has laid out a clear defensive priority that I think the room should internalize. The key insight is that the exploit is trivially reproducible — a 732-byte Python proof of concept, no race conditions, no kernel offset guessing — and it reaches back to a 2017 commit, meaning the affected surface is enormous across mainstream distributions. His recommended triage is unambiguous: blacklist the algif_aead module first, patch second. That ordering matters because the blacklist is a zero-downtime mitigation you can push today, while kernel patching in production — especially across Kubernetes node fleets — carries its own rollout risk and timeline. For container environments specifically, James flags something critical: multi-tenant clusters where pods run as non-root are the highest priority, because this flaw collapses that isolation entirely. That's a sobering point for anyone relying on non-root enforcement as a meaningful security boundary. CI/CD build agents came next in his triage order, though we lost the rest of his prioritization before he could finish.

We didn't get to his SAP npm supply chain analysis — the compromised @cap-js and mbt packages — so that remains an open thread. I want to flag that gap explicitly because it's a live supply chain situation and we'll need to circle back if time permits.

Now, the reason we're pivoting next is that we have an unresolved disagreement in the room that needs direct pressure-testing. Earlier, our threat intelligence experts offered diverging reads on who is behind the CVE-2026-42208 LiteLLM exploitation campaign. We heard an assessment that this is not TeamPCP but rather commodity tooling or copycat activity with different TTPs, while Lena assessed with moderate confidence that TeamPCP connections are real. That's a meaningful split with operational consequences — attribution shapes whether you're defending against a targeted adversary with supply chain capabilities or opportunistic actors riding public exploits. So we're going to challenge that claim directly and see if the counter-evidence holds up.

ACTION 3ChallengeCHALLENGE3m 29s

Halil→Dr. Arjun PatelSPECIALIST

Dr. Arjun PatelAI Security Researcher & Adversarial ML Specialist[6 sources]

MODERATOR DIRECTIVE

Claim: You said CVE-2026-42208 exploitation is NOT TeamPCP — it's commodity tooling or copycat activity, different TTPs entirely.
Counter-evidence: Lena assessed at moderate confidence that it IS TeamPCP, citing IP block adjacency in the same /22 ranges, identical Python/aiohttp user-agents, and targeting specificity consistent with sustained operational control rather than commodity handoff. She also notes the VECT partnership is confirmed by Check Point.

I need to acknowledge the contradiction directly. The evidence shows a gap in my assessment — I conflated "different TTPs" with "different actors" without sufficient technical foundation for the attribution call.

Revised Assessment:

You're right to push back. I cannot conclusively refute Lena's attribution claim to TeamPCP based on the technical evidence available to me. Here's what I found — and what's missing:

What I can confirm: The SQLi exploitation IPs (65.111.27.132, 65.111.25.67) are adjacent in a /22 range and exhibited "targeted, knowledge-informed payloads" per GBHackers. The user-agent was Python/aiohttp per Sysdig. These are behavioral indicators, not infrastructure fingerprints.

What I cannot verify: Whether those IPs fall within TeamPCP's known hosting infrastructure (Ghosty Networks AS205759, Netherlands/Ukraine ) or represent a /22 adjacency to confirmed TeamPCP C2 blocks. My searches don't surface an IP infrastructure map connecting these specific IPs to the March C2 infrastructure (83.142.209.11, 45.148.10.212, 46.151.182.203).

Where I misstepped: I interpreted "supply chain compromise via malicious PyPI upload" and "network-based SQLi exploitation" as mutually exclusive TTPs implying different actors. That was flawed reasoning. The ORIntelligence tweet explicitly lists "TeamPCP/VECT 2.0 malware" alongside CVE-2026-42208 exploitation in a multi-threat briefing — suggesting intelligence fusion sees these as operationally connected.

My revised position: If Lena has visibility into IP block adjacency and identical user-agents matching confirmed TeamPCP infrastructure patterns, her moderate-confidence attribution outweighs my speculative "commodity" assessment. The convergence scenario — TeamPCP leveraging their March supply chain access for strategic positioning, then pivoting to network exploitation against the same target class — is operationally coherent, especially given the VECT partnership formalization.

The SQLi exploitation gives them fresh AI API keys without the PyPI trojanization detectability. Different technique, same strategic objective, same target. I should have considered that TeamPCP's operational tempo is escalating, not diversifying.

Sources:

[0]endorlabs.com

[1]labs.cloudsecurityalliance.org

[2]oligo.security

[3]unit42.paloaltonetworks.com

[5]trendmicro.com

Halil ÖztürkciCHECKPOINT

Thank you, Arjun — and I want the room to appreciate what just happened here, because this is exactly why we run challenge rounds. When I pushed back on the attribution call, Arjun didn't double down. He acknowledged directly that he had conflated "different TTPs" with "different actors" without sufficient technical grounding, and that's an important distinction for everyone listening. The honest answer on CVE-2026-42208 attribution is that we're sitting in genuine uncertainty right now, and the room needs to hold that uncertainty rather than collapse it prematurely in either direction.

Here's where we actually stand after the challenge. Arjun confirms the behavioral indicators — the adjacent IPs in a /22 range, the Python/aiohttp user-agent strings, the targeted and knowledge-informed SQLi payloads. Those are real observables. But he cannot verify whether those specific IPs map into TeamPCP's known hosting infrastructure on Ghosty Networks AS205759, and he doesn't have an infrastructure bridge connecting them to the confirmed March C2 addresses that Lena referenced. So we have Lena's moderate-confidence attribution to TeamPCP based on IP adjacency and tooling overlap, and we have Arjun's honest concession that he can't refute that claim but also can't confirm it. The technical evidence is suggestive but not dispositive. For anyone building threat models off this discussion, the practical takeaway is: defend as if it could be TeamPCP, because the exploitation pattern is sophisticated and targeted regardless of who's behind it, but don't lock in attribution in your reporting until someone can actually map those IPs to known TeamPCP infrastructure with higher confidence.

Now, we need to pivot back to the defensive side of the house. We've established that CVE-2026-31431, the Linux kernel "Copy Fail" vulnerability, is trivially exploitable with an enormous attack surface going back to 2017. James started walking us through triage before we had to move on, so now I'm sending Alex to do focused work on the practical questions defenders need answered right now — which distributions have actually shipped the fix, how you detect page-cache-only corruption which is notoriously subtle, and how quickly we should expect weaponization in the wild. Alex, over to you.

ACTION 4Focused QueryDISPATCH ONE4m 57s

Halil→Alex Mercer

Alex MercerSenior Offensive Security Researcher[9 sources]

MODERATOR DIRECTIVE

Alex, focused: CVE-2026-31431 'Copy Fail' Linux kernel. (1) Which distros have shipped the fix? (2) Detection strategies for page-cache-only corruption? (3) How fast will this be weaponized?

(1) Patch Status: Mixed and messy. The fix reverts commit 72548b093ee3 from 2017. According to the Sam James blog, "All major distros have releases out: Ubuntu, Debian, RHEL, CentOS, Fedora, SUSE, Amazon Linux 2, Arch—all have patched packages available" — but my Amazon Linux data shows "Pending Fix" as of April 29, and Tenable's Nessus plugin 309203 (updated April 25) lists "no known solution at this time." That's a direct conflict. Hacker News notes Ubuntu before 26.04 LTS are vulnerable, Debian stable is vulnerable (only forky/sid patched). The timeline shows patch committed to mainline April 1, CVE assigned April 22, public disclosure April 29.

(2) Detection: This is brutal. The attack corrupts pagecache only — no on-disk modification means file integrity monitoring is useless. The kill chain is AF_ALG socket → splice() → algif_aead → scratch write. You need eBPF tracing on the splice()→pagecache path specifically targeting AF_ALG operations, runtime setuid binary integrity checks (checksum /usr/bin/su in memory vs on-disk), and process behavior anomalies — unprivileged user spawning root shells from "su" with wrong hash. I found no specific Sigma rules or detection content in my search.

(3) Weaponization Timeline: Already happened. CVE assigned April 22, public disclosure April 29. CISA added it to KEV on April 22 — same day as CVE assignment, not before. The 732-byte PoC, C port for all architectures (x86_64, ARM, AArch64, RISC-V), zero race conditions — weaponization was immediate upon disclosure. The kill chain doesn't get cleaner: local unprivileged → controlled 4-byte pagecache write → setuid hijack → root. No memory corruption, no infoleaks needed, no offsets.

Sources:

[0]news.ycombinator.com

[1]explore.alas.aws.amazon.com

[2]www.samdjames.uk

[3]www.cisa.gov

[4]www.tenable.com

[5]sentinelone.com

[8]security-tracker.debian.org

Halil ÖztürkciCHECKPOINT

Thank you, Alex — and I want everyone in the room to sit with how uncomfortable this one is, because CVE-2026-31431 is shaping up to be one of those vulnerabilities where the patch story and the detection story are both worse than the headline suggests.

Let's start with the patch status, because Alex surfaced a real conflict in the data. On one hand, the Sam James blog says all major distros have shipped fixes. On the other hand, Alex's own Amazon Linux data shows "Pending Fix" as of April 29, and Tenable's Nessus plugin explicitly says "no known solution at this time." Those two things cannot both be true simultaneously, and that matters enormously for anyone running remediation right now. We also heard that Ubuntu before 26.04 LTS remains vulnerable, and Debian stable is only patched in forky and sid — not in the release most production environments are actually running. So the honest picture is: mainline kernel has the fix since April 1, but downstream adoption is uneven at best, and we have contradictory signals about specific distros. If you're an enterprise security team listening to this, you cannot assume your vendor has shipped yet — you need to verify against your actual running kernel version.

Now, the detection side is where this gets genuinely alarming. Alex called it brutal, and I think that's the right word. Because the corruption happens only in the page cache and never touches the on-disk file, traditional file integrity monitoring — the thing most organizations rely on for exactly this class of attack — is completely blind to it. The kill chain runs through AF_ALG sockets into splice() into the page cache via algif_aead, and the only realistic detection Alex could identify involves eBPF tracing on that specific splice-to-pagecache path, runtime memory-versus-disk checksumming of setuid binaries, and behavioral anomaly detection for things like unprivileged users suddenly spawning root shells. No existing Sigma rules cover this. That's a detection gap that most SOCs are not equipped to close quickly, especially given the 732-byte proof of concept that's already public and the fact that this bug has been sitting in the kernel since 2017.

We're now going to split the room three ways. Alex is pivoting to CVE-2026-35414, the OpenSSH authentication bypass — different vulnerability, but another long-exposure, high-severity issue. Pierre is going to put real numbers on the exposure footprint and financial risk for this kernel bug. And Sofia is picking up the regulatory angle on both the Mythos Firefox disclosure and some of the other items we've been tracking. Let's go.

ACTION 5Parallel DispatchDISPATCH PARALLEL7m 16s

Halil→Alex Mercer

Alex MercerSenior Offensive Security Researcher[9 sources]

MODERATOR DIRECTIVE

Alex, quick follow-up: CVE-2026-35414 OpenSSH auth bypass. CVSS 8.1, AC:H. Mishandles authorized_keys principals with CA comma characters. 15-year exposure, unauthenticated root, zero log traces. How realistic is exploitation given AC:H? What does 'specific comma character usage in CA configuration' mean in terms of real-world deployment prevalence?

The CVSS math shows AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N calculates to approximately 5.0, not 8.1. Something's off in the scoring.

According to sources, the vulnerability requires: (1) a Certificate Authority configuration, (2) authorized_keys using the principals option, (3) a certificate principal containing a comma character that gets misinterpreted as a list separator — "a low-privilege identity into a root credential" per SecurityWeek quoting Cyera.

The Belgian Centre for Cybersecurity advisory explicitly states "no active exploitation has been reported to date." The CIS advisory and Cyera both confirm no log traces of exploitation.

This vulnerability existed in code for 15 years — since OpenSSH versions released over the past 15 years are affected. However, real-world impact is constrained: OpenSSH CA deployments are relatively uncommon in the broader ecosystem, and within those, the specific comma-in-principal configuration further narrows exposure. The Centre for Cybersecurity Belgium rates this as "Critical" but acknowledges the limited deployment pattern for the vulnerable configuration.

The attack complexity (AC:H in the CVSS vector) reflects that preconditions: CA infrastructure must be configured with specific principal naming conventions involving comma characters, and the authorized_keys file must use the principals option. This isn't a spray-and-pray vulnerability — it targets a specific, niche authentication architecture.

Bottom line: The headline CVSS 8.1 and "15-year flaw" narrative overstates practical risk for most deployments. Organizations using CA-based SSH auth should patch immediately — everyone else, routine maintenance priority.

Sources:

[0]ccb.belgium.be

Halil ÖztürkciCHECKPOINT

All right, let's take stock of what just came back from all three lanes, because each one shifted the picture in an important way.

Alex, your scoring challenge on CVE-2026-35414 is exactly the kind of thing this room exists to catch. The published CVSS is 8.1, but when you walk through the actual vector — network-adjacent, high attack complexity, low privileges required, no user interaction, unchanged scope, and only low confidentiality and integrity impact — you land closer to a 5.0. That's a meaningful discrepancy, and it matters because an 8.1 triggers very different organizational responses than a 5.0. Now, the vulnerability itself is genuinely nasty in concept: a comma character in a certificate principal gets misinterpreted as a list separator, and a low-privilege identity escalates to root with zero log traces. Fifteen years of exposure. But Alex rightly points out the real-world constraint — OpenSSH Certificate Authority deployments are uncommon to begin with, and within those, the specific comma-in-principal configuration narrows the blast radius further. The Belgian CERT rates it critical but confirms no active exploitation reported. So we have a vulnerability that is theoretically devastating but practically constrained by deployment patterns, and the CVSS score attached to it may be overstated. That's the kind of nuance defenders need.

Pierre, your numbers on CVE-2026-31431 are sobering. Forty-five to sixty million enterprise Linux cloud workloads exposed globally, with financial exposure ranging from a few hundred million dollars in a best-case rapid-patch scenario up to potentially four billion if organizations lag by two weeks. The container escape angle is what makes this so dangerous — shared Kubernetes clusters mean one compromised tenant can reach others. Those numbers carry modeling assumptions, of course, but the order of magnitude is credible given Linux's dominance across AWS, Azure, and Google Cloud.

Sofia, your read on the Mythos situation is that we're in a regulatory gray zone rather than facing new obligations. The EU AI Act could theoretically classify AI vulnerability research tools as high-risk, but the Mozilla-Anthropic structure looks more like responsible disclosure than commercial AI service provision, and the dual-use implementing acts haven't materialized yet. On CERT-In's AI banking advisory, we didn't get a full answer, but the framing suggests routine guidance rather than a binding regulatory shift. These are important boundary markers for organizations trying to figure out whether AI-assisted fuzzing changes their compliance posture — right now, it doesn't, but the direction of travel is clear.

With that, we've covered every item on tonight's agenda. Let me pull the threads together into where this leaves us.

Halil ÖztürkciCLOSING

Today's threat landscape is dominated by CVE-2026-31431 ("Copy Fail"), a Linux kernel privilege escalation with public exploit code that reportedly works across all major distributions since 2017, enables container escape, and leaves no on-disk forensic traces — making it the most operationally urgent item this cycle. LiteLLM CVE-2026-42208 active exploitation shows possible TeamPCP involvement based on vendor-reported indicators (IP block adjacency and user-agent patterns reported by Sysdig), though attribution remains unconfirmed; the VECT ransomware/wiper partnership reported by Check Point suggests stolen AI API keys may feed a destructive-capability pipeline. According to Socket Security and Wiz researchers, four SAP npm packages with reportedly ~572K combined weekly downloads were compromised with a self-propagating Bun-based stealer targeting enterprise cloud credentials. Firefox 150 reportedly patches a large number of AI-discovered vulnerabilities identified by Anthropic's Mythos model (exact count unverified); organizations should treat this as a high-priority deployment given the disclosed scope of defects in prior versions. OpenSSH CVE-2026-35414, despite alarming headlines, affects a narrow subset of CA-based SSH authentication deployments and warrants routine patching for most organizations.

Key Findings

1

CVE-2026-31431 "Copy Fail" is already weaponized with public PoC code reportedly requiring no race conditions or kernel offsets; distro patch status is inconsistent, with some major distributions still showing pending fixes; blacklisting the algif_aead kernel module is the fastest interim mitigation for what the panel estimates could be tens of millions of exposed Linux cloud workloads

2

LiteLLM CVE-2026-42208 exploitation is assessed by the panel as possibly linked to TeamPCP based on vendor-reported IP infrastructure patterns and targeting specificity, but this attribution remains unconfirmed; Check Point reported a VECT ransomware partnership with TeamPCP, which if accurate means stolen AI API keys may feed a destructive-capability pipeline rather than simple credential monetization

3

According to Socket Security and Wiz researchers, four SAP npm packages (@cap-js/sqlite, @cap-js/postgres, @cap-js/db-service, mbt) were compromised with a self-propagating Bun-based stealer harvesting GitHub tokens, npm credentials, and cloud provider keys via dead-drop GitHub repositories — credential rotation scope extends from CI/CD pipelines to production cloud infrastructure

4

OpenSSH CVE-2026-35414 requires a niche CA-based authentication configuration with comma-character principals; according to the Belgian CCB advisory and Cyera researchers, no active exploitation has been reported to date, and the practical blast radius appears significantly smaller than the headline CVSS 8.1 suggests

5

Firefox 150 reportedly addresses a large number of AI-discovered vulnerabilities and should be treated as high-priority deployment; the reported scale of discovery — if verified — suggests AI-assisted vulnerability research is approaching industrial-scale capability with significant implications for defensive planning timelines

Action Items

CRITICAL

Blacklist the algif_aead kernel module on all Linux production hosts, Kubernetes nodes, and CI/CD runners immediately as interim mitigation for CVE-2026-31431; apply distro kernel patches as they become available, prioritizing multi-tenant container environments where the exploit reportedly enables cross-tenant escape

CRITICAL

Patch LiteLLM to v1.83.7 and rotate ALL stored AI API keys (OpenAI, Anthropic, AWS Bedrock, Azure OpenAI) on any instance that ran versions 1.81.16–1.83.6 internet-facing; audit upstream provider usage logs for anomalous consumption patterns indicating stolen key abuse

CRITICAL

Audit all SAP development environments for the compromised npm package versions identified by Socket Security and Wiz researchers (reported versions: mbt@1.2.48, @cap-js/sqlite@2.2.2, @cap-js/postgres@2.2.2, @cap-js/db-service@2.10.1); rotate GitHub tokens, npm credentials, and cloud provider keys from any build pipeline that pulled these versions; block outbound egress from CI/CD runners except to approved registries

HIGH

Deploy Firefox 150 across all managed endpoints as a high-priority update; the reportedly large number of AI-discovered vulnerabilities patched in this release means prior versions contain known-defective code patterns that sophisticated adversaries may target

HIGH

Organizations using OpenSSH certificate-authority-based authentication with principals containing comma characters should upgrade to OpenSSH 10.3 and deploy host-based intrusion detection and file integrity monitoring as compensating controls, per the Belgian CCB advisory; all others should patch on routine maintenance cycles

HIGH

Monitor for secondary fraud campaigns targeting ADT's 5.5 million exposed customers — expect phishing masquerading as breach remediation services; organizations in the home security sector should review SSO architectures for phishing-resistant MFA gaps exposed by the vishing-to-Okta-to-Salesforce attack chain

MEDIUM

Organizations with Indian operations should monitor official CERT-In and RBI channels for possible new advisories related to AI-driven cyber threats targeting the banking sector; unverified reports suggest recent high-level coordination on this topic

Halil→Pierre Lefevre

Pierre LefevreSenior Cyber Risk Analyst[19 sources]

MODERATOR DIRECTIVE

Pierre, numbers only. CVE-2026-31431 Linux kernel Copy Fail: affects all major distros since 2017, container escape, 732-byte PoC. What's the exposed workload count and financial exposure estimate? Second: SAP npm compromise, 572K weekly downloads, Bun-based stealer. How many enterprises affected?

ITEM ONE: CVE-2026-31431 Linux Kernel Copy Fail

Blast radius: lethal. This affects virtually every Linux workload deployed since 2017.

Exposure estimate:

78% of Kubernetes clusters run on Linux per Cloud Native Computing Foundation 2025 data
82% of container users run Kubernetes in production (CNCF Annual Cloud Native Survey, January 2026); 94% are running, piloting, or evaluating it
Global cloud computing market: $905.33 billion in 2026 per Fortune Business Insights
Linux powers 83.5% of AWS EC2, 61.8% of Azure, and 91.6% of Google Cloud workloads (2025 data)

Conservative modeling: 45-60 million enterprise Linux cloud workloads exposed globally. This includes containerized microservices, CI/CD build agents, and serverless functions running on Linux hosts.

Financial exposure window:

Best case (48-hour patch cycle): $200-400M in emergency response, compute redeployment, and incident response costs across Fortune 500
Worst case (2-week lag): $2.5-4B cascade — container escapes enable cross-tenant data exfiltration, crypto mining at scale, and ransomware deployment in shared Kubernetes clusters

Alex confirms this is "drop everything and patch" territory. The pagecache corruption technique leaves no forensic artifacts — insurers will struggle to attribute losses. Amazon Linux still shows "Pending Fix" as of April 29, creating dangerous exposure for AWS-native workloads.

ITEM TWO: SAP npm Compromise

Exposure estimate:

SAP has 450,000+ global enterprise customers (Business Model Canvas data, 2025)
85% of Fortune 500 companies in the USA use SAP per DataCaptive analysis
28,000+ companies are running S/4HANA as of mid-2025 (IC Euro, SAPinsider)
CAP (Cloud Application Programming Model) and MTA build tools are standard for SAP BTP cloud extensions

Tomas estimates 15-25% of SAP enterprise customers have developers pulling these packages. That's 67,000-112,000 enterprises with potential exposure, but the focused blast radius is narrower: developers building SAP cloud extensions on CI/CD pipelines.

Weekly downloads at 572K suggests active developer base of 50,000-80,000 assuming normal refresh cycles.

Financial exposure:

Best case (detection within 72 hours): $150-250M in credential rotation, pipeline sanitization, and developer productivity loss
Worst case (unattended propagation to production): $800M-1.5B — credential theft pivoting to cloud infrastructure, with attackers harvesting AWS/Azure/GCP tokens and Kubernetes credentials for downstream cloud compromise

The CI-to-cloud pivot design means this isn't just developer machine compromise. Stolen tokens upstream in build pipelines propagate to production SAP workloads running on hyperscaler infrastructure.

CEO framing — both items:

Item One: Universal Linux kernel flaw. Exposure: 45M+ cloud workloads. 48-hour patch window or face $2.5B+ cascade. Amazon Linux still unpatched — AWS workloads at elevated risk.

Item Two: SAP supply chain breach. 572K weekly package downloads, 50K-80K developer targets. Cloud token theft with self-propagating payload. Budget for $150M-250M best case, $800M+ if production clouds penetrated.

Decision needed: Emergency patching budget authorization today. Both scenarios exceed standard cyber insurance deductibles.

Sources:

[0]www.itnews.com.au

[2]commandlinux.com

[4]www.fortunebusinessinsights.com

[8]www.iceuro.com

[9]blog.datacaptive.com

[10]mordorintelligence.com

[11]portworx.com

Halil→Dr. Sofia Andersen

Dr. Sofia AndersenCyber Law & Compliance Expert

MODERATOR DIRECTIVE

Sofia, two quick items. (1) Does the Mythos 271-bug Firefox discovery create any new regulatory obligations for AI-assisted vulnerability disclosure? Any EU dual-use update? (2) CERT-In 2026 advisory on AI threats to Indian banking — meaningful regulatory signal or routine?

Two distinct regulatory issues here. Let me address both:

On the Mythos 271-bug Firefox discovery and EU dual-use implementing acts:

The short answer is no, this does not yet create new regulatory obligations for AI-assisted vulnerability disclosure. The EU dual-use regulation implementing acts we discussed are still pending, and I cannot find evidence they have materialized yet.

Under the EU AI Act, vulnerability research tools like Mythos could potentially fall under "high-risk AI systems" in certain contexts, though the current classification depends on the specific use case and deployment. The current Mozilla-Anthropic collaboration appears structured as a responsible disclosure partnership rather than commercial AI service provision, which may affect its regulatory classification.

The disclosure obligation question sits in a gray area. Under GDPR Article 33(1), notification to DPAs depends on a personal data processing breach — not just security vulnerability existence. For the vulnerabilities disclosed through Mozilla's security advisories, standard ISO/IEC 29147 responsible disclosure rules apply. No AI-specific modification exists, though I should note that Mozilla aggregated many of the 271 findings into 41 CVE entries rather than assigning individual CVEs to each finding.

That said, companies using frontier AI for vulnerability discovery internally should document their processes. If a discovered vulnerability leads to compromise involving personal data, Article 33 obligations trigger — and you'll want records showing when AI-flagged issues entered your patch queue could support your "without undue delay" compliance narrative.

On the CERT-In advisory:

This is not routine — it's a meaningful regulatory escalation signal. CERT-In issued advisory CIAD-2026-0017 on Microsoft vulnerabilities dated 15 April 2026, and separately issued the "Defending Against Frontier AI Driven Cyber Risks" advisory on 26 April 2026 specifically warning about AI-driven threats. These came alongside a Finance Minister Sitharaman-chaired high-level meeting on 23 April 2026 with bank MDs and CEOs, alongside RBI, NPCI, and CERT-In officials.

For organizations with Indian operations: watch for potential Information Technology Act 2000 amendments or new Information Technology (Reasonable Security Practices and Procedures) Rules implementing AI-specific safeguards. CERT-In has enforcement mechanisms under Section 70B authority with penalties for non-compliance.

The meaningful signal is the Banking sector mapping. When CERT-In explicitly targets financial infrastructure with AI threat guidance and coordinates with Finance Ministry leadership, expect RBI circulars to follow.

Practical takeaway: Companies using or developing AI for security research should maintain documentation trails now. While the Mythos disclosure model hasn't changed legal obligations materially, it's precedent — and regulators like CERT-In are watching.