GitHub npm supply chain attacks, LiteSpeed RCE, CISA credentials exposed

Severity● High

ThreatsSupply Chain Vuln Exploit Data Breach Credential Theft DDoS

How to read this briefing

Verified facts — NVD & CISA KEV Partially verified — awaiting NVD enrichment AI analysis — synthesis, verify before acting ^[1]Inline citations — click any [N] to view the source

Actionable · Partially verified

CVE in source articles · NVD enrichment pending

CVE	CVSS	Vendor · Product	Exploitation	Refs
⏳CVE-2026-48172	awaiting NVD	LiteSpeed User-End cPanel Plugin	Reported exploitation	NVD →
⏳CVE-2026-26980	awaiting NVD	Ghost CMS	no reports	NVD →

Contextual · AI analysis Synthesized from 10 feeds · verify before acting

TL;DR

GitHub and npm ecosystem faces sustained supply-chain attacks across multiple package repositories. Critical CVE-2026-48172 in LiteSpeed cPanel plugin actively exploited. CISA contractor exposed AWS GovCloud credentials on public GitHub—immediate containment required.

THREAT LEVEL: HIGH – Active exploitation of critical vulnerabilities combined with high-profile credential leaks and coordinated supply-chain campaigns requires immediate patching and credential rotation.

Executive Summary

Multiple coordinated supply-chain attacks target npm, Packagist, and Composer package repositories, injecting malicious code into widely-used PHP and JavaScript libraries [1,2,4,7].
CVE-2026-48172 in LiteSpeed User-End cPanel Plugin (CVSS 10.0) is actively exploited in the wild to execute arbitrary code with root privileges [5].
CISA contractor publicly exposed AWS GovCloud credentials and sensitive agency secrets on GitHub, forcing emergency containment efforts and congressional scrutiny [11,12,13].
Ghost CMS SQL injection vulnerability (CVE-2026-26980) is being actively exploited in large-scale ClickFix phishing campaigns [6].
AI-driven vulnerability discovery has identified over 10,000 high- or critical-severity flaws in systemically important software [3].

Top Threats Today

1. Coordinated Supply-Chain Attack Campaign Across Package Ecosystems

Severity: HIGH Affected: Technology

GitHub-hosted npm and Packagist repositories are experiencing a coordinated attack wave targeting multiple package ecosystems. A supply-chain attack has infected eight packages on Packagist with malicious code designed to run a Linux binary retrieved from GitHub Releases URLs ^[2]. Separately, multiple Laravel-Lang PHP packages have been compromised to deliver a cross-platform credential-stealing framework, with attackers abusing GitHub version tags to distribute malicious code through Composer packages ^[3]^[4]. GitHub has responded by rolling out staged publishing controls—a feature that requires maintainers to explicitly approve releases prior to packages becoming publicly available—to help prevent unauthorized distributions ^[1].
Sources:[1] The Hacker News[2] The Hacker News[3] The Hacker News[4] BleepingComputer

Recommended Action

Review all installed npm, Composer, and Packagist dependencies for unexpected version changes or recent updates.
Enable two-factor authentication (2FA) on all package repository accounts and require approval for staged releases.
Monitor package integrity using Software Bill of Materials (SBOM) tools and hash verification.
Audit application logs for evidence of malicious code execution from suspicious package sources.

2. LiteSpeed cPanel Plugin Remote Code Execution—Active Exploitation

Severity: CRITICAL Affected: Technology

A maximum-severity vulnerability in LiteSpeed User-End cPanel Plugin (CVE-2026-48172, CVSS 10.0) is under active exploitation in the wild ^[1]. The flaw relates to incorrect privilege assignment, allowing attackers to execute arbitrary scripts with root-level privileges ^[1]. This vulnerability requires urgent patching of all LiteSpeed installations running the vulnerable cPanel plugin.
Sources:[1] The Hacker News

Recommended Action

Immediately patch LiteSpeed User-End cPanel Plugin to the latest available version.
Review server logs for evidence of unauthorized script execution or privilege escalation attempts.
Restrict cPanel access to trusted IP ranges and enforce strong authentication controls.
Monitor for suspicious process execution with root privileges originating from the cPanel environment.

3. CISA Contractor Leaks AWS GovCloud Credentials and Sensitive Agency Data

Severity: CRITICAL Affected: Government

Until the past weekend, a contractor for the Cybersecurity & Infrastructure Security Agency (CISA) maintained a public GitHub repository that exposed credentials to highly privileged AWS GovCloud accounts and a large number of internal CISA systems ^[2]. The exposure triggered emergency containment efforts and Congressional demands for answers from CISA leadership ^[1]. Security experts have stated that the public archive poses a significant risk to federal infrastructure and must be treated as a complete credential compromise.
Sources:[1] Krebs on Security[2] Krebs on Security

Recommended Action

IMMEDIATE: Revoke all exposed AWS GovCloud credentials and initiate emergency IAM key rotation across all affected accounts.
Audit AWS CloudTrail logs for unauthorized access or suspicious API calls using the exposed credentials.
Scan all GitHub, GitLab, and internal version control repositories for similar credential leaks using automated secret-scanning tools.
Notify all federal agencies and contractors of the exposure and recommend credential rotation for dependent systems.

4. Ghost CMS SQL Injection Actively Exploited in ClickFix Phishing Campaign

Severity: HIGH Affected: Technology

A large-scale campaign is exploiting a critical SQL injection vulnerability (CVE-2026-26980) in Ghost CMS to inject malicious JavaScript code that triggers ClickFix attack flows ^[1]. This vulnerability is being actively weaponized against thousands of Ghost installations.
Sources:[1] BleepingComputer

Recommended Action

Update Ghost CMS to the patched version immediately upon availability.
Review Ghost CMS instance logs for suspicious database queries and injection attempts.
Audit website front-end code and user-facing content for injected malicious JavaScript.
Deploy Web Application Firewall (WAF) rules to block SQL injection patterns targeting Ghost instances.

5. Kimwolf Botnet Operator Arrested; Infrastructure Remains Threat

Severity: HIGH Affected: Technology

Canadian authorities arrested a 23-year-old Ottawa man on suspicion of building and operating Kimwolf, a fast-spreading Internet-of-Things botnet that enslaved millions of devices for use in a series of massive distributed denial-of-service (DDoS) attacks over the past six months ^[1]. Court documents indicate Jacob Butler ran Kimwolf as a DDoS-for-hire service that infected over a million devices worldwide ^[2]. While the operator has been arrested, residual botnet infrastructure and compromised devices remain active.
Sources:[1] Krebs on Security[2] The Record

Recommended Action

Scan Internet-of-Things (IoT) and edge devices for Kimwolf malware signatures and known C2 communication patterns.
Implement network segmentation to isolate IoT and OT devices from critical business systems.
Monitor for unexpected outbound DDoS traffic patterns or botnet communication beacons.
Update firmware on all internet-facing IoT devices and enforce strong default credentials.

Today’s Action Checklist

☐ URGENT: Rotate all AWS credentials exposed in CISA GitHub leak; audit CloudTrail for unauthorized access.
☐ URGENT: Patch LiteSpeed cPanel Plugin to prevent root-privilege code execution (CVE-2026-48172).
☐ HIGH: Audit npm, Composer, and Packagist dependency trees for Laravel-Lang and other supply-chain compromises; verify package hashes.
☐ HIGH: Update Ghost CMS to mitigate CVE-2026-26980 SQL injection exploitation.
☐ MEDIUM: Enable 2FA and staged publishing on all package repository accounts to prevent future unauthorized releases.

Editorial integrity

Verified facts (green zone): 2 CVE ID(s) verified verbatim against source articles; 2 awaiting NVD enrichment (2 pending); 1 with source-reported exploitation (KEV-pending).

Partially verified (yellow zone): CVE IDs are real and present in source articles, but NVD has not yet finished enrichment (vendor / product / CVSS). This is normal for vulnerabilities disclosed within the last 1–3 days. We re-check NVD daily and the page auto-updates when canonical data arrives.

AI analysis (purple zone): the narrative was generated by an AI model from 10 source feeds. Each threat description shows the sources it draws from, and individual claims include inline [N] citations linking to the originating source article. Verify specifics before acting in production.

Find an error? contact@defend.network

🤖 This briefing was compiled by defend.network using AI-powered analysis of multiple cybersecurity sources including CISA advisories, vendor security bulletins, and threat intelligence feeds. Always verify critical intelligence through official vendor channels before taking action.

TL;DR

Executive Summary

Top Threats Today

1. Coordinated Supply-Chain Attack Campaign Across Package Ecosystems

Recommended Action

2. LiteSpeed cPanel Plugin Remote Code Execution—Active Exploitation

Recommended Action

3. CISA Contractor Leaks AWS GovCloud Credentials and Sensitive Agency Data

Recommended Action

4. Ghost CMS SQL Injection Actively Exploited in ClickFix Phishing Campaign

Recommended Action

5. Kimwolf Botnet Operator Arrested; Infrastructure Remains Threat

Recommended Action

Today’s Action Checklist

Get Tomorrow’s Briefing in Your Inbox