Handler on Duty: Rob VandenBrink
Threat Level: green
Podcast Detail
SANS Stormcast Wednesday, May 13th, 2026: Microsoft Patch Tuesday; Large npm/pypi Compromise; Rubygems Attack
If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9930.mp3
My Next Class
Click HERE to learn more about classes Johannes is teaching for SANS
Microsoft Patch Tuesday
https://isc.sans.edu/diary/32980
Tanstack npm and others compromised
https://socket.dev/blog/tanstack-npm-packages-compromised-mini-shai-hulud-supply-chain-attack
Ruby Gems Attack
https://x.com/maciejmensfeld/status/2054164602577940619
iTunes
MP3 Download
RSS Feed
Google
Podbean
Amazon Echo
YouTube
Spreaker
Spotify
Discussion
Login here to join the discussion.
| Network Monitoring and Threat Detection In-Depth | Online | Arabian Standard Time | Jun 27th - Jul 2nd 2026 |
| Network Monitoring and Threat Detection In-Depth | Riyadh | Jun 27th - Jul 2nd 2026 |
| Application Security: Securing Web Apps, APIs, and Microservices | Washington | Jul 13th - Jul 18th 2026 |
| Application Security: Securing Web Apps, APIs, and Microservices | Online | British Summer Time | Jul 27th - Aug 1st 2026 |
| Application Security: Securing Web Apps, APIs, and Microservices | Las Vegas | Sep 21st - Sep 25th 2026 |
| Network Monitoring and Threat Detection In-Depth | Amsterdam | Nov 9th - Nov 14th 2026 |
| Application Security: Securing Web Apps, APIs, and Microservices | Washington | Dec 14th - Dec 18th 2026 |
Podcast Transcript
Hello and welcome to the Wednesday, May 13, 2026 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich, recording today from San Diego, California. And this episode is brought to you by the SANS.edu Graduate Certificate Program in Cybersecurity Leadership. Well today, is Microsoft Patch Tuesday. So let's start with a quick summary here. We got a total of 137 vulnerabilities being addressed by Microsoft. Now this is quite a large number, but in addition to this, we actually also got 127 chromium vulnerabilities being addressed in Microsoft Edge. Now when it comes to the Microsoft vulnerability, so the 137, we had 30 critical ones here. That's a fairly large number compared to what we saw in the past, but 14 of these 30, so pretty much half of them, do not require any customer action because these vulnerabilities are vulnerabilities in Microsoft Cloud systems. And as such, of course, there's nothing you have to do. Microsoft already took care of these for you. Now among the remaining critical vulnerabilities, there are couples of that caught my eye. One actually that I haven't listed in the diary is one in Outlook. That's a remote code execution vulnerability that could be triggered by just previewing an email, so no attachment that you need to open. There is also a vulnerability in the Microsoft single sign-on plugin for Jira and Confluence. Given all the news we had about supply chain issues and such, that's certainly something to watch out for. The other one that I thought was kind of interesting was remote code execution vulnerability in NetLogon. Now the NetLogon service has always been sort of a big target, definitely something where, as I post a diary, it's worth to spend some AI tokens for, to come up with a good exploit, at least from an attacker's point of view. So definitely get them patched on sort of the good news side here. None of the vulnerabilities that were patched this round are already being exploited or disclosed. So essentially no zero days this month. Well, usually on Patch Tuesday we heavily focus on patches from various vendors and, well, the urgencies here always, so patch, patch quickly. Today's podcast is a little bit different because, well, supply chain attacks appear to be escalating. Socket.dev has a blog post with the latest series of what they call Mini Shai-Hulud, sort of part of that TeamPCP ecosystem. So these attacks have extremely escalated over the last couple days across both NPM and PyPi. So both JavaScript and Python are affected here. Initially there were 84 compromised packages of TanStack. TanStack has millions of downloads, so it's one of the very popular NPM packages. But sadly, well, it didn't stay with TanStack. We then immediately got additional packages being affected here. And I'm just scrolling through some of them. Mr. Alley and OpenSearch. OpenSearch is one of the real big ones here that got affected, particularly when it comes to NPM. Guardrails, AI, another big packages. A lot of AdSqualk packages got affected by this latest set of attacks. So we literally have dozens and dozens of packages being compromised and more being added all the time. Because, well, what the compromise does then is it does actually exfiltrate more credentials from more GitHub repositories. More GitHub accounts are being compromised. And, well, with that the attack is just spreading. Apparently, the initial entry point here when it comes to TanStack was a GitHub action where a malicious actor submitted a pull request. And then the GitHub action basically sort of ran through the usual checks of the pull request, which also included running the code. And in doing so, well, some of the credentials here were compromised and that then led to the compromise of TanStack. There are also some versions of these supply chain compromised in the last few days where the attacker exfiltrated or assigned himself malicious tokens. And with these credentials then, well, basically spread more malicious code. But they also then put a little time bomb into the developer systems that basically wipes the system if the developer does attempt to actually revoke those tokens. So be careful if you're affected by any of this. And I have seen some reputable sources recommend not to patch any in particular NPM packages for the next couple of days. Maybe should be extended to PyPi. Personally, I'm a little bit ambivalent about this, but you definitely have to be careful. And, well, basically read in particular the socket.dev blog post, which has a lot of hints on, first of all, how to secure yourself better and how to detect if you're affected. By this most recent compromise. But sadly, well, it's not just NPM and Python that is affected by these types of attacks. There's also a separate wave of attacks apparently hitting Ruby. RubyGems announced that they are currently pausing signups for new accounts because they're flooded as posts on XStates by hundreds of malicious packages. Some attacks against RubyGems, but also some just containing outright malicious codes and exploits. So that's why they basically just paused submissions, paused new signups for now in order to deal with filtering and basically defending against these attacks they're currently seeing. So in short, well, that's why you should be careful for at least the next couple of days, but probably going forward with updating software components. And for now, if there is no urgent vulnerability that you need to address, you should probably just stick with the version that you have right now. Again, this affects at least NPM and PyPi. But as we see with RubyGems, there are other languages also being affected by these types of attacks. And it's not just a TeamPCP and the Mini-Shai-Hulud kind of attacks, but there's a variety of different attacks going on. Those are just the big ones that sort of make the news. Well, this is it for today. So thanks for listening. Thanks for liking. Thanks for subscribing. And thanks for any feedback about the content that I've sort of received over the time for this podcast. Always really helpful and very much appreciated. So thanks and talk to you again tomorrow. Bye. Bye.
Follow updates by subscribing to the handler's diary RSS feed
© 2026 SANS™ Internet Storm Center
Developers: We have an API for you! 