Active · Live updateCVE-2026-41940 · cPanel/WHM

Field Notes: SessionScribe in the wild

Live battle journal of CVE-2026-41940 exploitation. 17-day quiet zero-day window, vendor disclosure, the post-PoC surge, and the kill chain walked end-to-end on a single host. Pattern catalog, operator buckets, attacker IP block list, and the verdict-engine gap that hides active malware on patched hosts. Updated as new evidence lands.

Read the field notes Reverse-engineering write-up

Operator toolkit · sh.rfxn.com

sessionscribe-ioc-scan.sh

Read-only on-host triage. Score-rubric verdicts. JSON / JSONL / CSV.

sessionscribe-mitigate.sh

Active defense. ModSec rules + cpsrvd-port scrub + proxysub.

sessionscribe-remote-probe.sh

Non-destructive remote verdict by HTTP code. Fleet-friendly.

github.com/rfxn/cpanel-sessionscribeGPL v2 · updated live

Active advisoryCVE-2026-31431 · Linux kernel

Copy Fail: AF_ALG page-cache scratch write

Any unprivileged tenant gets a 4-byte page-cache write to any readable file at attacker-chosen offset. On-disk inode unchanged. RHEL ships algif_aead builtin, so userspace cuts are the only defense that bites the running kernel.

Read the analysis Get the RPMs

Operator toolkit · rfxn.github.io/copyfail

afalg-defense (RPM)

Signed RPMs for EL8/EL9/EL10. dnf install one repo file.

no-afalg.so

LD_PRELOAD shim. Blocks AF_ALG socket(2) at libc.

copyfail-local-check

Read-only posture auditor. JSON verdict for SIEM.

github.com/rfxn/copyfailGPL v2 · updated 2026-04-30

Hackathon submission

Attackers have agents. Defenders still have grep.

Blacklight is the counter: an agentic-defense layer on top of the Linux tooling your fleet already runs. ModSec, iptables, APF, CSF, LMD, ClamAV, YARA, fail2ban, directed by a Managed Agents curator with 1M-context forensic reasoning.

Built with Opus 4.7 · HackathonAnthropic × Cerebral Valley · Apr 21–28

See Blacklight Read the design

# no one is coming.

>_ defend.

BLACKLIGHT

>_ Agentic Defense · Human Trust · Attacker Speed

Curator

Opus 4.7

Time

8h → 10m

Skills

65 files

rfxn.com / blacklightSee the masthead

Active Servers (30d)

372.9k

Requests (30d)

31.97M

GitHub

2,187

Deployed across government, defense, education & enterprise networks

govNISTgovNOAAgovNIHgovUNAMdefenseNATO CCDCOEeduStanford UniversityeduHarvard UniversityeduNational Taiwan UniversityeduCity University of New YorkresearchDFNresearchRENATERresearchJANETresearchSURFnetresearchRedIRISresearchGARRresearchUNINETTresearchSWITCHenterpriseAmazon Web ServicesenterpriseMicrosoftenterpriseGoogleenterpriseDeutsche TelekomenterpriseVodafoneenterpriseTelefonicaenterpriseOrangeenterpriseCogententerpriseIONOShostingLiquid WebhostingVultrhostingDigitalOceanhostingHetznerhostingOVHhostingNexcesshostingContabohostingLeasewebhostingBluehostgovNISTgovNOAAgovNIHgovUNAMdefenseNATO CCDCOEeduStanford UniversityeduHarvard UniversityeduNational Taiwan UniversityeduCity University of New YorkresearchDFNresearchRENATERresearchJANETresearchSURFnetresearchRedIRISresearchGARRresearchUNINETTresearchSWITCHenterpriseAmazon Web ServicesenterpriseMicrosoftenterpriseGoogleenterpriseDeutsche TelekomenterpriseVodafoneenterpriseTelefonicaenterpriseOrangeenterpriseCogententerpriseIONOShostingLiquid WebhostingVultrhostingDigitalOceanhostingHetznerhostingOVHhostingNexcesshostingContabohostingLeasewebhostingBluehost

$git clone https://github.com/rfxn/linux-malware-detect.git && cd linux-malware-detect && ./install.sh

Recent GitHub Activity

View all

cpanel-sessionscribe1h ago

Pushed to cpanel-sessionscribe: pushed commits

Push

Featured Projects

View all

LMDv2.0.1

1,407

Linux Malware Detect

A high-performance malware scanner for Linux designed for the multi-core era. v2.0.1 introduces a foundational engine leap that delivers up to 10x faster performance than traditional scanners via hash-first short-circuiting and batch-parallel processing.

Learn more

APFv2.0.2

106

Advanced Policy Firewall

An iptables(netfilter) based firewall system for Linux servers. Provides three-fold filtering with static rules, stateful connection tracking, and sanity-based packet inspection.

Learn more

BFDv2.0.2

Brute Force Detection

A modular shell script for parsing application logs and detecting authentication failures. Uses regex rules and integrates with APF, Shorewall, or raw iptables for blocking.

Learn more

Quick Start

Get up and running in minutes. All tools install from source with a single command.

LMDLinux Malware Detect

bash

$ git clone https://github.com/rfxn/linux-malware-detect.git && cd linux-malware-detect && ./install.sh

APFAdvanced Policy Firewall

bash

$ git clone https://github.com/rfxn/advanced-policy-firewall.git && cd advanced-policy-firewall && ./install.sh

BFDBrute Force Detection

bash

$ git clone https://github.com/rfxn/brute-force-detection.git && cd brute-force-detection && ./install.sh

Built for Real-World Linux Security

Threat-Driven Design

Built from real malware data collected at the network edge. Every detection signature comes from active threats seen in production hosting environments, not theoretical research.

Shell-Native & Lightweight

Pure bash with minimal dependencies. No agents, no daemons eating resources, no runtime interpreters. Runs on any Linux system from embedded devices to enterprise servers.

Community-Sustained

20+ years of open source development under GPL v2. No venture funding, no enterprise upsells. Sustained by the community of sysadmins who rely on these tools daily.

Protection Stack

Three tools, one defense-in-depth strategy. Layer them together for comprehensive Linux security.

Layer 1

Malware Detection

LMD

Scan & quarantine threats from real hosting threat data

Layer 2

Firewall Policy

APF

Stateful iptables filtering with reactive address blocking

Layer 3

Intrusion Prevention

BFD

Block brute-force auth attacks with modular log parsing

Connect

About

@rfxn

Linux security, open source, and systems engineering

rfxn

Open source projects and contributions

Ryan MacDonald

SVP/CTO at Liquid Web

rfxn

Identity verification and encrypted messaging

Contact

Security reports and project inquiries

Support Open Source Security

R-fx Networks projects are entirely community-funded. If these tools help protect your infrastructure, consider contributing.

Support the Project Star on GitHub