SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast) SANS Stormcast Tuesday, February 24th, 2026: Malicious JPEG Analysis; Calibre Vuln; jsPDF object injection; Roundcube Exploited
8 snips
Feb 24, 2026 A breakdown of a malicious JPEG that masked a downloader for Remcos RAT. Analysis of Calibre path traversal flaws that allow arbitrary file write and possible code execution. Examination of a jsPDF addJS object-injection vulnerability. Alert about active exploitation of a Roundcube webmail PHP serialization bug and urgency to patch self-hosted mail systems.
AI Snips
Chapters
Transcript
Episode notes
Malicious JPEG Began As Obfuscated Zip Downloader
- Johannes Ulrich describes a malicious JPEG delivered as a zip containing obfuscated JavaScript downloader.
- The attacker padded the JS with >1MB of garbage then revealed a small downloader that fetched a JPEG carrying scripts and installed the Remcos RAT.
Enable DMARC DKIM And SPF To Block Faked Senders
- Use email authentication like DMARC, DKIM, and SPF to block faked sender addresses.
- Johannes Ulrich warns the attack's from-address was faked and would fail properly configured DMARC/DKIM/SPF checks.
Calibre Path Traversal Enables Arbitrary File Writes
- Two critical Calibre vulnerabilities allow path traversal and arbitrary file write leading to potential code execution.
- Exploits rely on opening a crafted ebook that extracts files into attacker-controlled paths because Calibre fails to sanitize extraction locations.