SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast) SANS Stormcast Thursday, February 5th, 2026: Malicious Scripts; Synectix Vuln; Google Chrome; Google Looker;
16 snips
Feb 5, 2026 A malware-laden Chrome script that pulls a hidden second-stage payload and why attackers favor multi-stage installs. An unauthenticated web admin interface in a small LAN appliance and the dangers of exposing tiny serial-to-Ethernet devices. Remote code execution and path-traversal flaws in Looker affecting cloud and on-prem deployments. Recent Chrome and Django security patches and a PostGIS-related SQL injection alert.
AI Snips
Chapters
Transcript
Episode notes
Script Hid Secondary Malware In Image
- Xavier dove deeper into an injected script and found it downloaded an image with extra code appended to install more malware.
- The initial loader looked like an info stealer for Chrome but then fetched a secondary payload that installed XWorm.
Layered Payloads Evade Single Detection
- Attackers layer payloads so a secondary component may survive detection that caught the first stage.
- Expanding capabilities by appending lines to an existing script is an easy way for attackers to monetize compromised systems.
Tiny Devices Often Lack Basic Security
- The Synectix LAN-232 TRIO web admin required no authentication, giving full device control to anyone who can reach it.
- Minimal embedded devices often expose simple services without encryption or proper access controls.