The Infrastructure House of Cards: Vercel, cPanel, and Outsourced Risk

John Z Black May 1, 2026 Incidents & Breaches #cPanel #Vercel #managed-hosting #breach #supply-chain

We’ve all bought into the managed hosting promise: let someone else handle the pipes so you can build the product. But this week, those pipes all burst at once.

First, cPanel and WHM hit a critical auth bypass. We aren’t talking about “weak passwords” here; we’re talking about attackers skipping the login screen entirely to grab root access. If you’re an admin, don’t wait for your automatic update. You need to log in and run /scripts/upcp manually right now.

Then there’s Vercel. ShinyHunters is selling access to their systems, and reportedly 100,000 .env files are already in the wild. If you’ve ever deployed a modern web app, you know those files are the master key ring. They have your production database passwords and your API keys for everything from Stripe to AWS. If you’re on Vercel, rotate your secrets before you finish reading this post.

Finally, a Virtualizor plugin flaw just put dozens of mid-tier VPS providers at risk. It’s a reminder that “outsourced trust” doesn’t mean outsourced risk. When your provider fails, your clients are the ones who pay. This is a good week to audit your vendor’s disclosure history and see how fragile your backbone really is.

See the full impact report on the Vercel and cPanel infrastructure failures.