Handler on Duty: Brad Duncan
Threat Level: green
Podcast Detail
SANS Stormcast Tuesday, May 26th, 2026: VBA in MSFT Access; NPM Stealer; PHP Laravel Compromise; Google API Key Lag;
If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9944.mp3
My Next Class
Click HERE to learn more about classes Johannes is teaching for SANS
Microsoft Access VBA
https://isc.sans.edu/diary/Microsoft%20Access%20VBA/33012
An Example of Stack String in High Level Language
https://isc.sans.edu/diary/An%20Example%20of%20Stack%20String%20in%20High%20Level%20Language/33008
Cross-Platform NPM Stealer
https://isc.sans.edu/diary/Cross-Platform%20NPM%20Stealer/33006
Laravel Lang Compromised with RCE Backdoor Across
https://socket.dev/blog/laravel-lang-compromise
Google API keys keep working after you delete them
https://www.aikido.dev/blog/google-api-keys-deletion
iTunes
MP3 Download
RSS Feed
Google
Podbean
Amazon Echo
YouTube
Spreaker
Spotify
Discussion
Login here to join the discussion.
| Network Monitoring and Threat Detection In-Depth | Online | Arabian Standard Time | Jun 27th - Jul 2nd 2026 |
| Network Monitoring and Threat Detection In-Depth | Riyadh | Jun 27th - Jul 2nd 2026 |
| Application Security: Securing Web Apps, APIs, and Microservices | Washington | Jul 13th - Jul 18th 2026 |
| Application Security: Securing Web Apps, APIs, and Microservices | Online | British Summer Time | Jul 27th - Aug 1st 2026 |
| Application Security: Securing Web Apps, APIs, and Microservices | Las Vegas | Sep 21st - Sep 25th 2026 |
| Network Monitoring and Threat Detection In-Depth | Amsterdam | Nov 9th - Nov 14th 2026 |
| Application Security: Securing Web Apps, APIs, and Microservices | Washington | Dec 14th - Dec 18th 2026 |
Podcast Transcript
Hello and welcome to the Tuesday, May 26, 2026 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich and today I'm recording from Jacksonville, Florida. And this episode is brought to you by the SANS.edu Graduate Certificate Program in Cybersecurity Leadership. Microsoft Access, well, that's a database I had a couple of run-ins with in the past, in the distant past. Luckily, Didier got interested into Microsoft Access now because, well, it may be used to actually execute Visual Basic for application code. Yes, the .mdb files that Microsoft Access runs on may contain Visual Basic for applications and with that could be used to infiltrate systems, to basically execute malicious code, just like, you know, with any other Microsoft product that does execute VBA. So in order to help us out here and help us analyze some of these scripts that may contain, that may be contained in these .mdb files, Didier is offering here some help, a little bit sort of reverse analysis on the .mdb files, how to extract some of these Visual Basic for application scripts. Microsoft does not offer really any documentation here and Didier will also in the future present a couple more complex examples how to extract the VBA code from these Microsoft Access database files. Well, and then we got more reverse analysis tricks here over the weekend, this time from Xavier. Xavier looked at, well, decoding stack strings. Stack strings is an obfuscation technique that's often found in malware. In order to avoid using specific strings that, of course, could easily be identified with signatures, the attacker uses basically dynamically created strings where one byte at a time is copied into the stack in order to assemble a particular string. And that's, of course, a little bit of pain to analyze. So Xavier took a look at what the simplest possible way to sort of, you know, figure out these stack strings and came up with essentially a bash one-liner. Now, I say one -liner, but there is a secret tool here, object dump that will basically decompile the software that is being used here. And then some simple greps in order to basically filter out these instructions that copy individual bytes to the stack and then just reassemble the bytes that they're copying. Well, and in the example that Xavier prepared, this works just fine. So certainly one of those quick tricks that you can use before you are using more complex tools just to see if essentially there's something here for you to dive in further. And Xavier also used the long weekend, well, at least the long weekend here in the US in order to provide us with a quick reverse analysis of an NPM Steeler. So this particular Info Steeler is written in JavaScript. It uses the node infrastructure. One of those things that you would potentially find like in a supply chain attack, it's because it's written in JavaScript, also multi -platform. It runs on Windows, Mac OS, and Linux. And then, well, that's what Info Steeler do best. It steals your credentials, including things like crypto coin wallet information, which kind of fits the target IP address. The target IP address has been in prior campaign associated with some North Korean threat actors. And well, North Korea is really into stealing crypto coin information. And talking about supply chain issues, now the one language that we haven't really heard much from when it comes to supply chain issues is PHP. Well, don't worry, the threat actors haven't forgotten about PHP. Socket has come out with a blog post late last week that basically identified a number of Laravel packages that were compromised. Laravel is a framework that's commonly used with PHP. The packages being compromised here are in particular the Laravel lang packages. This is an extension to Laravel that you're using to basically provide localization. So translation of different languages for a particular site and yes, support something like 126 different languages. So definitely a popular package and 700 plus versions were infected with a remote code execution backdoor. So better make sure that you're not using any of these packages. Potentially you're at risk if you have a PHP website that's coded using Laravel and does support multiple languages. And Joe Leon with Aikido has published a blog, a blog post, an issue that is actually not really new in cloud environments and that changes don't happen instantly. Now what Joe looked at was particular Google API keys and deleting them. Well, apparently it can take up to 23 minutes in order for the key to be no longer usable. We had a couple of SANS-EDU students also write research papers about the similar effects in the past, like when you're setting up firewall logs or any kind of configuration change in the cloud, that there is often a significant delay in these kind of changes. So definitely something to keep in mind that these things don't really act immediately. And if you're, for example, relying on any configuration change or something like this, well, before you actually use an application or so that relies on it, well, make sure that the application configuration change has propagated to your actual application. Well, and that's it for today. Thanks for listening. Thanks for liking and thanks for recommending this podcast. By the way, I'll be teaching also at SANS Fire mid-July in Washington, D.C. I'll be teaching our web application security class again. So if you're interested in that, please sign up or let me know if you have any questions about it. And that's it. Talk to you again tomorrow. Bye. Bye.
© 2026 SANS™ Internet Storm Center
Developers: We have an API for you! 