SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
Johannes B. Ullrich
A brief daily summary of what is important in information security. The podcast is published every weekday and designed to get you ready for the day with a brief, usually 5 minute long, summary of current network security related events. The content is late breaking, educational and based on listener input as well as on input received by the SANS Internet Stormcenter. You may submit questions and comments via our contact form at https://isc.sans.edu/contact.html .
Episodes
Mentioned books
6 snips
Apr 9, 2026 • 8min
SANS Stormcast Thursday, April 9th, 2026: Honeypot Fingerprinting; Microsoft Locks Developer Accounts; ActiveMQ Vuln;
Discussion covers honeypot fingerprinting tactics and simple tweaks defenders can use to avoid detection. A cluster of developer account suspensions tied to new Windows driver signing rules and updates is explained. A recently disclosed ActiveMQ remote code execution via Jolokia and urgent patch guidance are highlighted.
Apr 8, 2026 • 6min
SANS Stormcast Wednesday, April 8th, 2026: Pivoting for Webshells; WatchGuard Firebox Patch; Project Glasswing; Kubernetes Misconfigurations
Scans searching for web shell filenames and why attackers favor WordPress-like names. How to detect malicious web shells beyond simple filename lists. A WatchGuard Firebox path traversal flaw that can enable arbitrary file writes. Anthropic's Project Glasswing giving vendors AI access to find vulnerabilities earlier. Real-world Kubernetes attacks from misconfigurations and stolen CI/CD credentials.
5 snips
Apr 7, 2026 • 7min
SANS Stormcast Tuesday, April 7th, 2026: Redirects in Phishing; Internet Bug Bounty Suspended; Bluehammer; Keycloak MFA Bypass
Discussion of how open redirects show up in a sizable share of phishing campaigns. Coverage of HackerOne pausing an internet bug bounty after a surge of AI-generated reports. Breakdown of a new Windows privilege escalation called Bluehammer and its public disclosure. Alert about a Keycloak REST API flaw that can remove second-factor protections.
Apr 6, 2026 • 6min
SANS Stormcast Monday, April 6th, 2026: TeamPCP Update and Axio Post Mortem; Fortinet 0-Day
A rundown of Team PCP activity and why some compromise lists may be incomplete. A social engineering trick that led a developer to install malware during a video call. Rapid detection and removal of a malicious Axios npm package. Compromised Strapi-related npm plugins acting as covert C2 agents. A Fortinet unauthenticated RCE that was actively exploited and patched.
Apr 3, 2026 • 5min
SANS Stormcast Friday, April 3rd, 2026: Vite Exploits; OpenSSH 10.3; Claude Code Vuln
Scans targeting a Vite file-access flaw and how attackers bypass controls to read files. New OpenSSH 10.3 release highlights and a rare operator code execution caveat. A source map leak from Claude Code led researchers to find a whitelist bypass that can allow dangerous commands after a threshold.
Apr 2, 2026 • 4min
SANS Stormcast Thursday, April 2nd, 2026: Script Removing ADS/MotW; Google Chrome 0-Day; iOS/iPadOS 18 Update;
A PowerShell script that strips Windows mark-of-the-web to hide malicious files. A Google Chrome update that patches 21 vulnerabilities, including a WebGPU 0-day. An iOS/iPadOS security update that backports Darksword fixes to older devices. A CSRF flaw in ASUS routers that can allow remote reconfiguration.
Apr 1, 2026 • 7min
SANS Stormcast Wednesday, April 1st, 2026: Application Control Bypass; Axios NPM Module Compromise; TeamPCP vs Cloud
Discussion of a Netcat-based application control bypass used for covert data exfiltration. Examination of a compromised Axios NPM package that delivered malicious post-install scripts and remote access tools. Analysis of TeamPCP activity shifting from credential theft toward targeting cloud resources and secrets. Detection clues and odd-port artifacts are highlighted.
Mar 31, 2026 • 5min
SANS Stormcast Tuesday, March 31st, 2026: Honeypot Session Lifetime; Let’s Encrypt Tests Mass Revocation; F5 RCE Exploited
Analysis of long-lived honeypot sessions that repeatedly run commands to transfer malware. A simulation of mass certificate revocation by a major CA and how ACME clients may handle replacement requests. A reclassification of an F5 BIG-IP flaw to remote code execution and the urgency of reprioritizing patches.
Mar 30, 2026 • 8min
SANS Stormcast Monday, March 30th, 2026: More TeamPCP: telnyx; Netscaler Exploit; macOS ClickFix Fix; Windows Smart Install
Updates on a supply-chain campaign that added a malicious Telnyx package to PyPI. Discussion of a Citrix Netscaler memory overread exploit and active probing of vulnerable systems. A warning to assume compromise for unpatched SAML-configured Netscalers. Notes on macOS paste-click protections and Windows Smart Install app-source restrictions.
Mar 27, 2026 • 6min
SANS Stormcast Friday, March 27th, 2026: TeamPCP Update; DarkSword vs Patches; LangFlow Exploited
A supply-chain compromise affecting many Checkmarx components and detection options. Urgent advice on rapid credential rotation and practicing recovery. A web exploit chain tied to government spyware and which iOS updates actually addressed it. A LangFlow flaw that was weaponized fast, stressing prompt patching and key rotation.
