Cybersecurity: CERT-AGID Report Reveals AI Risks and GitHub RCE

Discover CERT-AGID's cybersecurity analysis: PagoPA phishing, emerging risks like GitHub RCE, and AI MCP vulnerabilities. Here's what to know.

Cybersecurity: CERT-AGID Report Reveals AI Risks and GitHub RCE

Between April 25 and 30, 2026, CERT-AGID analyzed 138 malicious campaigns, 97 of which targeted Italians, identifying 847 indicators of compromise. While phishing on PagoPA and the banking sector continue to represent the predominant share of attacks in the country, the weekly report highlights emerging and more sophisticated threats: a critical remote code execution (RCE) vulnerability affecting GitHub Enterprise Server and the risks of unauthorized network proxies through the new Model Context Protocol (MCP) for LLMs.

PagoPA and Banking Phishing: the constant in the Italian landscape

The most persistent threat detected by CERT-AGID remains phishing, which continues to strike Italian citizens by exploiting institutional and financial brands. In the single week of April 25-30, the "Fines" theme was exploited in 38 phishing campaigns abusing the PagoPA name, while the "Banking" sector recorded 25 targeted campaigns against customers of PayPal, Klarna, Isybank, ING, Nexi, Intesa Sanpaolo, and other institutions. Overall, 33 brands were involved in these fraudulent operations.

Compared to the previous week (April 18-24), when CERT-AGID had analyzed 130 campaigns (96 Italian and 34 generic) with 1088 IoCs, substantial continuity is observed in the attack vectors. Banking campaigns and those related to traffic fines represent a consolidated and profitable attack pattern for malicious groups, who reuse already tested templates and infrastructures.

In this context, specific campaigns were identified that exploit the SPID logo and the Widiba name to deceive users about a supposed online account opening, and a phishing page hosted on Weebly targeting the University of Palermo. According to CERT-AGID, the template used for the Palermo university is identical to that already observed in recent campaigns against other Italian universities; this suggests a modus operandi presumably attributable to the same malicious actor, who adapts the same scheme to different targets. Overall, the campaigns involved 12 malware families that affected Italy in the week under review.

RCE on GitHub Enterprise: the server-side code execution risk

In addition to traditional fraud campaigns, the CERT-AGID report flags a critical vulnerability tracked as CVE-2026-3854 (CVSS score: 8.7), which affects GitHub and GitHub Enterprise Server. This is a command injection case that could allow an attacker, equipped with push access to a repository, to achieve remote code execution on the instance.

The technical mechanism behind this flaw exploits the push operation. According to public evidence, values containing delimiters like the semicolon were inserted into internal headers, including X-Stat, without sufficient checks. As highlighted by CERT-AGID, "Exploiting the flaw can allow an attacker to execute server-side commands during the push operation, bypassing security protections." Execution occurs in the context of the git user, with the command output returned to the client, confirming the actual compromise.

A single malicious "git push" thus potentially exposed millions of private repositories. The fix for the cloud environment was applied by GitHub on March 4, 2026, and requires no action from users. Unpatched self-hosted instances of GitHub Enterprise Server are likely still exposed to this risk, making timely patching by system administrators necessary.

AI and LLM Security: the SSRF danger via Model Context Protocol

The other threat frontier reported by CERT-AGID concerns artificial intelligence, particularly the architecture based on Large Language Models (LLMs) and the Model Context Protocol (MCP). CERT-AGID published an analysis on how incomplete controls on these protocols can allow unauthorized network requests and foster Server-Side Request Forgery (SSRF) vulnerability cases.

MCPs allow LLMs to interact with external data sources and tools. However, in the absence of strict permission definition and request isolation, the risk of escalation is real. CERT-AGID emphasizes that "an MCP designed for consultation can turn into a network proxy." This suggests that if an LLM is instructed or manipulated to query unexposed internal or external resources, the protocol can become an unwitting bridge for the attacker. The increasingly widespread adoption of agentic AI agents within corporate infrastructures is likely to amplify the attack surface, making SSRF vulnerabilities via MCP a privileged access vector for unauthorized lateral movement within the internal network.

Looking at the broader malware picture, CERT-AGID's summary report on 2025 trends offers relevant context: out of 90 identified malware families, about 60% fall into the infostealer category, while a further 30% into the RAT (Remote Access Trojan) category. This distribution indicates a clear preference by attackers for tools aimed at credential theft and persistent access, elements that perfectly combine with the phishing campaigns observed in recent weeks to maximize the impact on Italian victims.

Frequently Asked Questions

What are the most frequent phishing campaigns in Italy according to CERT-AGID?
Between April 25 and 30, 2026, the most frequent campaigns exploit the "Fines" theme via PagoPA (38 campaigns) and the "Banking" sector (25 campaigns) targeting customers of institutions like Intesa Sanpaolo, ING, Nexi, and PayPal.
How does the GitHub RCE vulnerability CVE-2026-3854 work?
CVE-2026-3854 is a command injection vulnerability in GitHub and GitHub Enterprise Server. By exploiting the push operation with values containing delimiters like the semicolon inserted into internal headers (e.g., X-Stat), an attacker can execute server-side commands bypassing security protections.
What security risks do Model Context Protocols (MCP) pose for LLMs?
CERT-AGID highlights that incomplete controls on MCPs can allow unauthorized network requests and SSRF vulnerabilities. A consultation MCP could turn into a network proxy, allowing the LLM to interact with internal or external resources in an unauthorized manner.

The information has been verified against the cited sources and updated at the time of publication.

Sources