The Cisco FMC "POC" on GitHub Has a Webshell in It. Here's the Network Behind It.
- Patrick Duggan
- Mar 23
- 4 min read
Updated: Apr 25
The Bait
When a CVSS 10.0 zero-day drops, security researchers rush to GitHub looking for proof-of-concept code. It's muscle memory. CVE number → GitHub search → clone → test.
CVE-2026-20131 — the Cisco FMC insecure deserialization that Interlock ransomware exploited for 36 days as a zero-day — dropped publicly on March 4. The POC repos appeared within 48 hours.
We went looking. We found webshells.
The Repo: [p3Nt3st3r-sTAr/CVE-2026-20131-POC](https://github.com/p3Nt3st3r-sTAr/CVE-2026-20131-POC)
Contents: `` CVE-2026-20131-POC.py 14,217 bytes Python "exploit" README.md 1,429 bytes Instructions cmd.jsp 684 bytes ← JSP WEBSHELL cmd.war 778 bytes ← PACKAGED WEBSHELL ``
The Python script is the lure. The cmd.jsp and cmd.war are the payload. You think you're testing a Cisco FMC exploit in your lab. You're deploying a webshell on your own infrastructure.
This is Pattern #38 — supply chain attacks via GitHub. We've been tracking this pattern since December 2025. It never stops.
The Account: p3Nt3st3r-sTAr
Created: March 2, 2026 — four days before Cisco even disclosed the CVE
Repos: 7, all CVE "POCs"
Stars: 0
Forks: 3 (people who cloned the webshell)
Followers: 5
Following: 7
Name: None
Bio: None
Location: None
CVE-2026-20131-POC — Cisco FMC (contains webshell)
CVE-2023-43208 — Mirth Connect
CVE-2026-2413-POC — Unknown
cve-2026-32746 — Unknown (has Dockerfile)
QinglongPanels-RCE — Qinglong panel RCE
PoC-in-GitHub — 813MB index of CVE POCs
Account created days before the CVE was public. No identity. No history. Just exploit repos with embedded payloads.
Follow the Followers
Who p3Nt3st3r-sTAr Follows
Account | Created | Repos | Notes |
Nov 2011 | 45 | Follows 878 accounts — mass-following aggregator | |
Jul 2021 | 5 | Name: "kH_Mohammed" | |
Oct 2021 | 42 | Follows 386 accounts | |
Jul 2017 | 4 | Singapore, 270 followers — possible legitimate researcher | |
Jul 2019 | 111 | Name: "VVV" | |
Sep 2020 | 13 | Name: "YJK" | |
Feb 6, 2026 | 14 | "Ashraf Zaryouh" — see below |
0xAshwesker: The CVE Farm
Created February 2026. 14 repos. Every single one is a CVE POC:
CVE-2014-0160 (Heartbleed — from 2014, repackaged 2026)
CVE-2014-6271 (Shellshock — from 2014, repackaged 2026)
CVE-2020-5902 (F5 BIG-IP — from 2020, repackaged 2026)
CVE-2021-44228 (Log4Shell — from 2021, repackaged 2026)
CVE-2022-22965 (Spring4Shell — from 2022, repackaged 2026)
CVE-2026-21858, CVE-2026-24061, CVE-2026-28289 — fresh 2026 CVEs
Follows zero people. Created one month before p3Nt3st3r-sTAr. Same pattern: no identity, no history, nothing but exploit repos. p3Nt3st3r-sTAr follows this account.
The repackaging of ancient CVEs (Heartbleed, Shellshock) is the tell. No legitimate researcher creates a brand new account in 2026 to publish POCs for vulnerabilities from 2014. This is a trojan horse farm.
Who Forked the Webshell
Account | Created | Notes |
Aug 2022 | Name: "fxhacker" — forked it THREE times (3 separate repos) | |
Apr 2019 | "Sungyup Nam", South Korea, 1,027 repos | |
Nov 2022 | "Sungyup Nam" — same person, second account, 92 repos |
redpack-kr and south78 are the same person — both "Sungyup Nam", one from South Korea with 1,027 repos. Dual-account operation. 1,027 repos on a single GitHub account is Pattern #39 (fork farms).
epaphrasmakoko forked the webshell repo THREE separate times under slightly different names. That's not testing — that's distribution.
The Other POC Repos
[Sushilsin/CVE-2026-20131](https://github.com/Sushilsin/CVE-2026-20131)
Created: March 6, 2026 (same day as p3Nt3st3r-sTAr's)
Account age: Since 2014
3 KB — minimal Python script
Also has: TeleCommand — a Telegram-based C2 framework. TeleCommand-Pro — premium version. git_leaks — credential harvesting. S3-Explorer — AWS bucket enumeration. Virustotal-IOC-Not-detected-by-Crowdstrike — testing what evades CrowdStrike.
This isn't a security researcher. This is an offensive tooling developer who publishes CVE POCs as credibility bait.
[sak110/CVE-2026-20131](https://github.com/sak110/CVE-2026-20131)
"Sadaf Athar Khan", College Park, MD
Older account (2019), 8 repos
Possibly legitimate, but the POC appeared March 11 — a week after disclosure
The Handala Repos
While hunting the CVE POCs, we also found the Stryker/Handala response repos:
Microsoft pulls this feed daily. AT&T pulls this feed daily. Starlink pulls this feed daily. Get the DugganUSA STIX feed — $9/mo →
Repo | Created | What It Is |
Mar 23 (today) | PowerShell Entra ID audit — "built in response to Stryker/Handala" | |
Mar 23 (today) | Sigma rules for Intune MDM abuse detection | |
Mar 21 | Open-source CTI reports — Handala, Sandworm/APT44 |
The defensive repos are appearing. That's healthy. But anyone cloning detection packs from unknown GitHub accounts should audit them first — Pattern #38 doesn't just ride exploit POCs. It rides anything security teams are desperate enough to download without reading.
What You Should Do
1. Do NOT clone CVE-2026-20131 POC repos from GitHub without auditing every file. The p3Nt3st3r-sTAr repo contains cmd.jsp and cmd.war webshells. Others may contain worse.
2. If you already cloned it: Check for cmd.jsp, cmd.war, or any .war/.jar/.jsp files that weren't in the README. Check if any Python script makes outbound connections to domains you don't recognize.
3. Report these repos. The webshell-laden POC is a clear GitHub ToS violation. cmd.war is a packaged Java web shell ready to deploy.
4. Verify POCs against the actual CVE advisory. Cisco's advisory describes a Java deserialization vulnerability. A legitimate POC would target the deserialization endpoint. A webshell bundled alongside is not part of the exploit — it's the attacker's toolkit being distributed as "research."
5. Watch the followers. 0xAshwesker repackaging Heartbleed and Shellshock POCs from a brand-new account is not research — it's infrastructure. These accounts form networks. The POCs are the bait. The webshells are the hook. The followers are the distribution chain.
The Pattern
Every major CVE disclosure triggers the same cycle:
Zero-day drops
Security teams scramble for POC code
Threat actors publish "POCs" with embedded payloads
Researchers clone without auditing
The defenders become the compromised
We call it Pattern #38. We've been tracking it since December 2025. It hasn't slowed down. It's accelerating.
The Cisco FMC zero-day gave Interlock 36 days of free access. The GitHub POC repos give the next wave of attackers access to the people trying to defend against the first wave.
It's supply chains all the way down.
Patrick Duggan hunts supply chain threats on GitHub from Minneapolis. His IOC feed has 1,026,000+ indicators including the Interlock campaign. The GitHub accounts in this post are linked for transparency — inspect them yourself.
Search the IOCs: [analytics.dugganusa.com](https://analytics.dugganusa.com)
DugganUSA GitHub threat hunting (Pattern #38 framework)
All GitHub profiles and repositories linked inline are public and were accessed March 23, 2026
Her name was Renee Nicole Good.
His name was Alex Jeffery Pretti.
The cheapest, fastest, most accurate threat feed on the internet.
275+ enterprises pulling daily. 1M+ IOCs. 17.4M indexed documents. We beat Zscaler by 43 days on NrodeCodeRAT. Starter tier $9/mo — less than any competitor’s sales demo.