April 2026 Cloud Security: Supply Chain Attacks & Critical RCEs

April 2026 stacked supply chain campaigns on top of a run of pre-authentication remote code execution flaws, several of them sitting in a substantial share of cloud environments. A single threat actor, TeamPCP, chained compromises across Trivy, a KICS GitHub Action, and the LiteLLM Python package, while critical bugs landed in GitHub Enterprise Server, GNU Inetutils telnetd, F5 BIG-IP, and Citrix NetScaler. This roundup covers the month's most consequential vulnerabilities, active campaigns, and what cloud security teams should do about them.

TeamPCP's chained supply chain campaign

The month's standout incident came from a threat actor tracked as TeamPCP, which ran a fast-moving, multi-stage operation against open-source security and developer tooling.

The entry point was Trivy, the widely deployed container vulnerability scanner from Aqua Security. Using stolen CI/CD secrets and hijacked service accounts, TeamPCP slipped credential-stealing payloads into legitimate Trivy releases. The actor then moved laterally across ecosystems — first into a KICS GitHub Action, and finally into the LiteLLM Python package.

The LiteLLM stage stood out for its persistence trick: abuse of Python's .pth file execution behavior. Python automatically processes .pth files in its site-packages directories at interpreter startup, and lines beginning with import are executed. By dropping malicious code into a .pth file, the attacker arranges for that code to run every time any Python process launches on the host — no direct import of the package required. That single design detail pushes the blast radius well beyond LiteLLM itself.

Investigators reported consistent tooling, encryption schemes, and exfiltration infrastructure across all three intrusions, which points to one coordinated operator following a deliberate escalation playbook. Cloud credentials, API keys, and CI/CD secrets were harvested in volume from downstream environments. Any organization that pulls in these tools should audit its CI/CD pipelines and rotate every secret now.

Critical vulnerabilities to prioritize

GitHub Enterprise Server RCE — CVE-2026-3854

Wiz Research disclosed a high-severity remote code execution flaw in GitHub Enterprise Server (GHES). An attacker who holds repository push access can inject special characters into Git push option values; those values then contaminate internal service headers, leading to code execution on the GHES instance. The CVE was reserved/published around March 10, 2026 (NVD, CVE.org record, GitHub advisory GHSA-64fw-jx9p-5j24). Note that the GitHub advisory states there is no known source-code package in a supported ecosystem, so Dependabot alerts do not apply — self-hosted operators must track patching manually.

Wiz telemetry indicates roughly 4% of cloud environments contain resources affected by this CVE. Push access is a low bar for an insider or a compromised developer account, so self-hosted GHES operators should treat patching as urgent.

Pre-auth telnetd buffer overflow — CVE-2026-32746

This was the most broadly exposed issue of the month. A critical buffer overflow in the telnetd service of GNU Inetutils lets an unauthenticated attacker achieve remote code execution before authentication occurs. The bug lives in the LINEMODE SLC (Set Local Characters) negotiation handler and can be triggered purely through Telnet option negotiation.

Because telnetd typically runs as root, a successful exploit hands over the entire host. Wiz data puts exposure at 23% of cloud environments — the highest of any CVE disclosed this month.

No authentication needed to trigger
Runs with root privileges in most configurations
23% of cloud environments affected per Wiz telemetry

If telnetd isn't an explicit requirement, disable it now. Where it must stay, apply the GNU Inetutils patches and restrict the Telnet port to trusted network segments. A quick exposure check:


# Is telnetd present / listening?
ss -ltnp | grep ':23'
systemctl status inetutils-telnetd 2>/dev/null

# Disable if not required (example: via inetd/xinetd or systemd socket)
systemctl disable --now inetutils-telnetd.socket 2>/dev/null

F5 BIG-IP RCE, actively exploited — CVE-2025-53521

CISA added CVE-2025-53521 to its Known Exploited Vulnerabilities catalog this month after confirmed in-the-wild exploitation. The flaw affects F5 BIG-IP Access Policy Manager (APM) and permits unauthenticated remote code execution when the device processes malicious traffic.

It was originally logged as a denial-of-service issue but has been reclassified as a critical RCE carrying CVSS 9.3. BIG-IP APM operators should treat it as weaponized: apply F5's patches immediately and comb network access logs for traffic anomalies consistent with exploitation.

NetScaler ADC and Gateway flaws — CVE-2026-3055 and CVE-2026-4368

Citrix disclosed two issues in NetScaler ADC and NetScaler Gateway — one critical (CVE-2026-3055) and one high severity (CVE-2026-4368). Together they can allow unauthenticated memory disclosure and user session mixups, especially in deployments using SAML identity provider configurations or gateway services.

Wiz puts exposure near 3.5% of cloud environments. The session-confusion vector is particularly worrying in enterprise gateways, where cross-user data exposure can breach compliance boundaries.

Active threat campaigns

MuddyWater espionage operation

The Iran-aligned actor MuddyWater ran a multi-stage espionage campaign from mid-February through at least March 4, hitting government, healthcare, aviation, and technology organizations primarily across the Middle East, with limited reach into Europe and the United States.

Initial access came from exploiting internet-exposed edge devices — specifically Fortinet and Ivanti systems — through known CVEs and password brute-forcing. After gaining a foothold, the operators leaned on a blend of custom and publicly available tooling to hold persistent access. Stolen data spanned PII, financial records, and corporate credentials, and the presence of cryptocurrency and credit-card theft suggests the campaign mixed classic espionage with opportunistic, financially motivated crime.

GlassWorm's FORCEMEMO

Researchers flagged a fresh wave of the GlassWorm campaign — attributed to an Eastern European cybercriminal group and tracked this cycle as FORCEMEMO — that chains three techniques:

Invisible Unicode character injection to conceal malicious code in plain sight
Credential theft via trojanized editor extensions (VS Code and similar)
A novel GitHub force-push attack that silently rewrites a repository's commit history with malicious code

The force-push vector is especially nasty because it can retroactively poison a repo's history, complicating both forensic analysis and rollback for maintainers.

Axios NPM package compromise

On March 31, 2026, the heavily used Axios NPM package was compromised via two malicious versions that shipped a lightweight backdoor to downstream consumers. With Axios embedded in millions of JavaScript projects, the exposure surface is large. Developers should confirm their installed version, inspect lockfiles for unauthorized updates, and audit any environment that resolved a new Axios version around that date:


# Check the resolved version and where it came from
npm ls axios
npm view axios versions --json

# Look for unexpected lockfile changes around the compromise window
git log -p --since="2026-03-29" --until="2026-04-02" -- package-lock.json

Key takeaways for cloud security teams

Supply chain trust is the attack surface. TeamPCP, GlassWorm, and the Axios compromise all targeted the tools developers trust most — package managers, CI/CD actions, and security scanners.
Pre-auth bugs demand zero-delay patching. CVE-2026-32746 in telnetd and CVE-2025-53521 in BIG-IP need no credentials. There's no safe remediation window.
23% is not a small number. Nearly one in four cloud environments carrying a remotely exploitable, pre-auth, root-level flaw is a systemic problem. If you haven't assessed your telnetd exposure, do it now.
Rotate secrets after any supply chain event. TeamPCP's focus was cloud credentials and CI/CD secrets — rotate aggressively whenever a pipeline tool is implicated.

Bottom line

April 2026 showed how interconnected cloud threats have become: one compromised tool cascades into ecosystem-wide credential harvesting, and a misclassified denial-of-service bug can resurface as an actively exploited critical RCE. The pace of both discovery and exploitation keeps rising. Review your exposure to this month's CVEs, audit your supply chain dependencies, and make sure your incident response playbooks account for supply chain pivot scenarios — TeamPCP has already proven the pattern works.