SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast) SANS Stormcast Wednesday, April 1st, 2026: Application Control Bypass; Axios NPM Module Compromise; TeamPCP vs Cloud
Apr 1, 2026
Discussion of a Netcat-based application control bypass used for covert data exfiltration. Examination of a compromised Axios NPM package that delivered malicious post-install scripts and remote access tools. Analysis of TeamPCP activity shifting from credential theft toward targeting cloud resources and secrets. Detection clues and odd-port artifacts are highlighted.
AI Snips
Chapters
Transcript
Episode notes
Application Control Evaded With 5,000 Byte Chunks
- Application control can be evaded by streaming data below detection thresholds of NGFWs.
- Xavier used a netcat wrapper to send 5,000-byte chunks because Palo Alto needs ~5,000 bytes to identify the application protocol.
Audit And Remove Malicious Axios Versions Immediately
- Audit installed package versions and remove any axios versions released during the incident window.
- Use Step Security's indicators of compromise and timeline because some installed files are removed after RAT installation.
Axios NPM Compromise Delivered Post Install RATs
- The popular npm package axios was briefly compromised after its GitHub admins were breached.
- Malicious post-install scripts added a crypto-js dependency and installed OS-specific remote access tools during a ~3 hour window.