SANS Stormcast Friday, May 22nd, 2026: Selective HTTP Proxying; More GitHub Repo Trouble; MSFT Defender Patches;
In this episode, Johannes Ulrich discusses selective HTTP proxying techniques, highlighting Proxifier for macOS/Windows and Linux alternatives such as environment variables, iptables, and network namespaces. He then details a recent GitHub repository attack that leverages harvested credentials to inject malicious GitHub Actions, exfiltrating a wide range of secrets to an external IP. Finally, he covers Microsoft Defender patches for the Red Sun and Undefend privilege‑escalation exploits and a critical Cisco Secure Workload REST API authentication bypass with a CVSS 10 rating.
SANS Stormcast Thursday, May 14th, 2026: Flexbile Windows Proxy; News From Nightmare Eclipse; Adobe Patches
In this 5‑minute Stormcast episode, host Johannes Ulrich highlights Proxifier, a Windows tool that isolates application traffic for proxying to tools like Burp Suite, reducing noise in API testing. He then discusses two new vulnerabilities from researcher Nightmare Eclipse: Yellow...
SANS Stormcast Tuesday, May 12th, 2026: Apple Patches; Encrypted RCS; CAPTCHAs; Checkmarx vs TeamPCP;
In this 5‑minute Stormcast episode, Johannes Ulrich reviews Apple’s latest patch cycle, which addresses roughly 80 vulnerabilities across iOS, iPadOS, macOS, tvOS, watchOS and visionOS, and highlights the new end‑to‑end encrypted RCS messaging feature for iPhone‑to‑iPhone and iPhone‑to‑Android chats. He...
SANS Stormcast Monday, May 11th, 2026: New Linux Priv Escalation; PAM Backdoors; CPanel Updates; Let’s Encrypt
In this 7‑minute StormCast, Johannes Ulrich warns of a new Linux privilege‑escalation flaw called DirtyFrag, which requires both the RPCRX kernel module and an ESP (IPSec) module to be loaded. He also highlights recent research showing how compromised PAM modules...
SANS Stormcast Monday, May 4th, 2026: Malicious Homebrew Ads; Wireshark Update; Digicert False Positive; cPanel Exploited
In this 7‑minute Stormcast episode, Johannes Ulrich reviews a malicious Homebrew ad campaign that leverages Google’s ad and hosting platforms to deliver a Mac‑based stealer, highlights the new Wireshark 4.6.5 release fixing 43 AI‑discovered vulnerabilities, explains a false‑positive incident where...
SANS Stormcast Friday, May 1st, 2026: Libredtail; FreeBSD Dhclient Vuln; Linux Copy-Fail; @Sans_edu Detecting AI Pickling
In this Stormcast episode, Johannes Ulrich covers three critical security issues: the resurgence of the RedTail crypto‑miner malware exploiting legacy web‑app flaws, a remote‑code‑execution bug in FreeBSD's dhclient that can be triggered via spoofed DHCP packets, and the newly disclosed...
SANS Stormcast Friday April 24rd, 2026: Apple Update; Bitwarden Compromise; ASP.NET Core Patch
In this 6‑minute Stormcast episode, Johannes Ulrich discusses three urgent security updates: Apple’s iOS/iPadOS patch that fixes a notification‑center bug exploited to recover Signal messages, the compromise of Bitwarden’s command‑line tools via a GitHub‑worker attack linked to the earlier Checkmarx‑kicks...
SANS Stormcast Tuesday, April 21st, 2026: CVE and EPSS; Windows Server 2025 OOB; QEMU Abuse;
In this 5‑minute Stormcast episode, Johannes Ulrich discusses the surge of new CVEs and the limitations of the NVD, introducing the Exploit Probability Scoring System (EPSS) as a scalable way to prioritize vulnerabilities. He then covers Microsoft’s out‑of‑band patch for...
SANS Stormcast Thursday, April 16th, 2026: AI Credential Scans; Microsoft Update Issues; RDP Warnings; GitHub Action Vulns;
In this 7‑minute Stormcast episode, Johannes Ulrich warns that attackers are increasingly scanning web servers for AI‑related configuration files such as .env files containing OpenAI, Claude, or OpenClaw credentials, emphasizing the need for proper secret management and billing alerts. He...
SANS Stormcast Thursday, April 9th, 2026: Honeypot Fingerprinting; Microsoft Locks Developer Accounts; ActiveMQ Vuln;
In this 7‑minute Stormcast episode, Johannes Ulrich discusses three security topics: attackers fingerprinting medium‑interaction honeypots by using obvious usernames like "honeypot" to confirm they’re not real systems; Microsoft’s recent suspension of developer accounts for privacy‑focused projects such as WireGuard, Veracrypt,...
SANS Stormcast Wednesday, April 1st, 2026: Application Control Bypass; Axios NPM Module Compromise; TeamPCP vs Cloud
In this 6‑minute Stormcast episode, Johannes Ulrich discusses three urgent security topics: a technique for bypassing Palo Alto's application control by fragmenting data into 5‑byte chunks via a Netcat tunnel, the recent supply‑chain compromise of the popular npm Axios package...
SANS Stormcast Tuesday, March 31st, 2026: Honeypot Session Lifetime; Let’s Encrypt Tests Mass Revocation; F5 RCE Exploited
In this 5‑minute Stormcast episode, host Johannes Ulrich discusses three security topics: the typical short lifespan of honeypot sessions and how the final command attackers run can reveal they’re in a honeypot; Let’s Encrypt’s staged test of its mass‑revocation process...
SANS Stormcast Thursday, March 26th, 2026: Apple Patches; SmatApeSG Update; Trivy/LiteLLM/TeamPCP Update; Google Accelerates Quantum Save Crypto Rollout
In this 7‑minute Stormcast episode, Johannes Ulrich reviews Apple’s latest patch cycle—85 vulnerabilities across iOS, macOS, and watchOS—emphasizing the importance of timely updates even though none are known to be actively exploited. He then provides an update on the LiteLLM...
SANS Stormcast Monday, March 23rd, 2026: GSocket Backdoor in Bash; Oracle Security Alert; Rockwell Attacks
In this episode, Johannes Ulrich reviews a bash-based malware analysis by Xavier that exploits the GSocket backdoor to maintain persistence via a ground job and employs time‑stomping to hide file modifications. He also highlights a critical Oracle security alert for...
SANS Stormcast Thursday, March 5th, 2026: XWorm Analysis; Cisco “Secure” Firewall Managmeent Center; LastPass Phishing
In this 7‑minute Stormcast episode, Johannes Ulrich and guest Xavier dissect a new XWorm sample, tracing its infection chain from a phishing email with a 7‑zip attachment through JavaScript, PowerShell, and a .NET DLL loader to the final payload. They...