Podcast Detail

SANS Stormcast Thursday, January 8th, 2026: HTML QR Code Phishing; n8n vulnerability; Powerbank Feature Creep

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9758.mp3

previous
Podcast Logo
HTML QR Code Phishing; n8n vulnerability; Powerbank Feature Creep
00:00

A phishing campaign with QR codes rendered using an HTML table
Phishing emails are bypassing filters by encoding QR codes as HTML tables.
https://isc.sans.edu/diary/A%20phishing%20campaign%20with%20QR%20codes%20rendered%20using%20an%20HTML%20table/32606

n8n vulnerabilities
In recent days, several new n8n vulnerabilities were disclosed. Ensure that you update any on-premises installations and carefully consider what to use n8n for.
https://www.cyera.com/research-labs/ni8mare-unauthenticated-remote-code-execution-in-n8n-cve-2026-21858
https://github.com/n8n-io/n8n/security/advisories/GHSA-v4pr-fm98-w9pg

Power bank feature creep is out of control 
Simple power banks are increasingly equipped with advanced features, including networking, which may expose them to security risks.
https://www.theverge.com/tech/856225/power-banks-are-the-latest-victims-of-feature-creep

Podcast Transcript

 Hello and welcome to the Thursday, January 8, 2026
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich, recording today from
 Jacksonville, Florida. And this episode is brought to you
 by the SANS.edu graduate certificate program in
 Incident Response. Today we got another fishing diary from
 Jan. Jan is writing about actually a set of emails that
 I've seen coming into our internal handlers alias over
 the holidays. At first I was a little bit worried of
 attackers kind of trying some new tricks over the holidays,
 maybe trying to outrun some of the defenders here, because of
 course during the holidays many of them may have taken
 the day off, and people also are less likely to make like
 big updates to their infrastructure over holidays.
 Well, the small but significant change here was
 that QR codes in these emails were actually encoded as an
 HTML table. So yeah, looks like a QR code, it may be a
 little bit squished, but of course QR codes are designed
 to be rather resilient to like distortions and such like
 that, because after all it's the same as pointing your
 phone on a QR code from likely a little bit odd angle. That's
 sort of why they work, even if they aren't really perfect.
 And a lot of email protection solutions have started looking
 at QR codes in order to filter out some of these sort of out
 -of-band attacks, where victims are being tricked to
 then use their local phone to complete the phishing attack,
 which of course then isn't caught often by enterprise
 security solutions. So that's the latest trick here. And of
 course now I hope that some of defenders, some of the anti
 -phishing solutions will add this to their repertoire. And
 well, let's see what attackers are coming up next. And if you
 are into phishing, please include us in your phishing
 mailing list. So that way we also get copies of whatever
 you're trying next. And over the last couple of days there
 were actually, I think, a total of four critical
 vulnerabilities in N8N. I think some people pronounce it
 also Nathan. N8N, that particular tool is geared
 towards the use of AI agents in order to automate
 processes. So what on a high level this tool does is it
 ingests data and then performs actions based on that data.
 The problem is a lot of the time this data comes from
 untrusted sources. And while N8N attempts to set up proper
 sandboxes and such around these processes, well, there
 are limits to what it can do. And you have sort of the
 classic issue where the data being ingested from the
 sources and the code, meaning the prompts for your AI tools,
 aren't clearly separated from each other. And that, of
 course, then leads to vulnerabilities like, for
 example, the uploads of files being used to then execute
 code in the end. There's been some controversy around these
 particular vulnerabilities. Not all of them are
 unauthenticated. This latest one that has been branded an
 i8mare or nightmare has allowed the code execution
 without authentication. But then, of course, it always
 depends on how you exactly configure the tool, who you
 allow to actually upload data and where the data is coming
 from. So, what that risk really means to you very much
 depends on the particular use case that you're employing the
 tool here at. And certainly something that's easy to sort
 of condense in a simple number like a CVSS score. In
 particular, of course, if you're running N8N on-premise,
 then, of course, you need to update. If you're using the
 cloud version, well, they took care of it for you. Then I
 mention this mostly because, well, I know it's a very
 popular product. Unify Protect did release an update that
 does fix remote code execution vulnerability. However, an
 attacker must be located in a JSON network. It's one of
 those network discovery protocol vulnerabilities. So,
 these protocols or these packets are usually not
 routed. That's why you need the JSON network position here
 in order to exploit it, update it, and, well, with that also
 get probably some new features with this product. And it's
 also relatively easy to enable auto updates for Unify
 Protect. Well, and then to close out this podcast today,
 just a little bit sort of an awareness item over the last
 years and such that I run this podcast. One recurring item
 has been IoT vulnerabilities. And apparently there is
 currently sort of a trend, and I've seen this a little bit
 too, that the power banks are gaining more and more
 features. In part, they are also gaining network
 connectivity. So, these used to be these fairly bland,
 usually black blocks that are, isn't just a battery that you
 can charge and discharge, but now they apparently include Wi
 -Fi access points, screen savers, and all kinds of other
 fancy features. And that came up in an article at The Verge,
 and part of the CES coverage, which is going on this week.
 And certainly something to be aware of. And if you are
 buying devices like this, probably stick with the simple
 one and only buy features that you actually need. Part of
 this is also that the price of these devices has gone up
 quite a bit as they have added these additional features.
 Well, and this is it for today. So, thanks for
 listening. And we have our first winner for a bug report.
 Turns out, well, this week I'm working somewhat on the
 scripts that are publishing this podcast. Trying to sort
 of get rid of that silence in the beginning and a couple
 other little things. But, well, I had to do some testing
 and it looks like in some podcast players one of the
 test audio files sort of was stuck and didn't get
 overwritten by the real file that I released later. So,
 sorry for that. And yeah, so the first sticker is gone. And
 if you have any kind of feedback, any bugs, errors, or
 other things that you found in the podcast, well, please let
 me know. And yes, you'll get a sticker in the mail as a
 reward. Thanks and talk to you again tomorrow. Bye.
 Bye.
 And thanks for listening. Thank you.