SANS Stormcast Thursday, February 5th, 2026: Malicious Scripts; Synectix Vuln; Google Chrome; Google Looker;

In this Stormcast episode, Johannes Ulrich dissects a seemingly innocuous Chrome‑injected info‑stealer that later drops a concealed image file. The image masquerades as an MSI motherboard wallpaper but carries extra code that installs a second payload. This multi‑stage approach lets attackers extend functionality while evading basic antivirus scans, illustrating why incident responders must dig beyond the initial malicious script to uncover hidden components. Such techniques exploit the trust users place in familiar visual assets, and they often bypass signature‑based detection because the malicious code is appended after the image’s EOF marker.

The briefing then shifts to three critical vulnerability clusters. First, Synecdus LAN 232 serial‑to‑Ethernet adapters expose an unauthenticated web‑admin console, granting attackers full device control with no patch available. Second, Google Chrome received patches for a libvpx heap buffer overflow and a V8 JavaScript engine type‑confusion bug, underscoring the need for daily restarts and version checks. Third, Tenable reported severe issues in on‑premise Google Looker—git path‑reversal and arbitrary code execution via unchecked git hooks—and a Django PostGIS SQL injection that affects geographic data handling. Because the Synecdus device lacks any encryption, attackers can also sniff traffic and inject commands, making it a prime target for supply‑chain compromises.

Organizations should implement network segmentation to isolate legacy serial adapters and use browser allowlists. Regularly review Looker git configurations and sanitize path inputs to stop path‑reversal. Enabling Django’s security middleware and validating GIS inputs mitigates the PostGIS SQL injection risk. Additionally, schedule automated patch cycles and conduct periodic penetration tests to verify that no hidden scripts remain on endpoints.