Podcast Detail

SANS Stormcast Tuesday, November 18th, 2025: Binary Expression Decoding. Tea NPM Pollution; IBM AIX NIMSH Vulnerability

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9704.mp3

Binary Expression Decoding. Tea NPM Pollution; IBM AIX NIMSH Vulnerability

00:00

My Next Class

Application Security: Securing Web Apps, APIs, and Microservices	Dallas	Dec 1st - Dec 6th 2025
Network Monitoring and Threat Detection In-Depth	Online \| Central European Time	Dec 15th - Dec 20th 2025

… more classes

Decoding Binary Numeric Expressions
Didier updated his number to hex script to support simple arithmetic operations in the text.
https://isc.sans.edu/diary/Decoding%20Binary%20Numeric%20Expressions/32490

Tea Token NPM Pollution
The NPM repository was hit with around 150,000 submissions that did not contain any useful contributions, but instead attempted to fake contributions to earn a new “tea” coin.
https://aws.amazon.com/blogs/security/amazon-inspector-detects-over-150000-malicious-packages-linked-to-token-farming-campaign/

IBM AIX NIMSH Vulnerabilities
IBM patched several critical vulnerablities in the NIMSH daemon
https://www.ibm.com/support/pages/node/7251173

iTunes

MP3 Download

RSS Feed

Google

Podbean

Amazon Echo

YouTube

Spreaker

Spotify

Discussion

Application Security: Securing Web Apps, APIs, and Microservices	Dallas	Dec 1st - Dec 6th 2025
Network Monitoring and Threat Detection In-Depth	Online \| Central European Time	Dec 15th - Dec 20th 2025
Application Security: Securing Web Apps, APIs, and Microservices	Orlando	Mar 29th - Apr 3rd 2026
Network Monitoring and Threat Detection In-Depth	Amsterdam	Apr 20th - Apr 25th 2026
Application Security: Securing Web Apps, APIs, and Microservices	San Diego	May 11th - May 16th 2026
Network Monitoring and Threat Detection In-Depth	Online \| Arabian Standard Time	Jun 20th - Jun 25th 2026
Network Monitoring and Threat Detection In-Depth	Riyadh	Jun 20th - Jun 25th 2026
Application Security: Securing Web Apps, APIs, and Microservices	Washington	Jul 13th - Jul 18th 2026

Podcast Transcript

 Hello and welcome to the Tuesday, November 18th, 2025
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich, recording today from
 Jacksonville, Florida. And this episode is brought to you
 by the SANS.edu Graduate Certificate Program in
 Penetration Testing and Ethical Hacking. In Diaries
 today we got an update from Didier to his numbers to hex
 script. The script as it existed so far, we just
 scanned input for decimal numbers and then converted
 them to hex. This was useful to de-obfuscate some scripts
 that basically use like these sort of char functions and
 such to decode decimal numbers into strings. Well, last week
 we had a post by Xavier who looked at a formbook example
 that used a similar obfuscation trick. But instead
 of just having simple numbers, well, there were some
 arithmetic expressions included as well in this
 particular file. Now, Didier updated his script in order to
 deal with these, as he calls them, binary expressions, so
 they're not the binary number system instead or base two.
 Instead, they are just arithmetic expressions with
 two components, like in this example, 79 plus one or 80
 plus seven. So the new version of numbers to hex will now
 first resolve these simple arithmetic expressions and
 then decode the numbers to hex. And then you can feed
 them to additional scripts like to convert the hex into
 ASCII characters, for example, in order to, as in this case,
 decode some PowerShell script. So real handy if you have to
 do a lot of these decoding tasks and such to have these
 scripts around. One story that really doesn't go away is
 attacks against the NPM ecosystem. The latest attack
 is, well, at first not really all that severe, but shows yet
 another problem with this ecosystem. And that's that
 Amazon found 150,000 packages being published to NPM with
 pretty much no functionality. Now, these were not malicious
 in the sense that they contained malware or stole
 credentials like some of the packages we had in the past.
 Instead, they really just tried to mine a new
 cryptocurrency, T. The idea behind this T token is at
 first kind of neat in the sense that it tries to reward
 people for open source contributions. But apparently
 they are not actually checking the quality of these
 contributions. So what the attacker tried to do here is
 by publishing 150,000 packages with their T token information
 as part of these packages. They basically tried to get
 credit for all of these contributions. But actually,
 all they did was cause harm, pollute the NPM ecosystem even
 more than it's now. And Amazon, with its inspector
 tool, was luckily able to identify some of these
 packages and have them removed. And then we got a
 number of critical vulnerabilities for IBM AIX
 users. These vulnerabilities affect NIMSH, the network
 installation manager. And this particular tool has had
 vulnerabilities like this in the past. But one of the
 vulnerabilities here does reach up to a perfect CFS
 score of 10. And some of the others also are like in the
 nines with essentially arbitrary remote code
 execution capabilities. NIMSH or NIM is really meant sort of
 for remote code execution. Supposed to be a little bit
 better replacement for RSH. It does offer TLS, but it's not
 really replacing SSH. That's probably what should really be
 used here. But it's part sort of of that IBM AIX ecosystem.
 And as such, pretty popular and often exposed, usually on
 port 3901 and 3902. Well, and that's it for today. Thanks
 for listening. Thanks for liking. Thanks for
 subscribing. And talk to you again tomorrow. Bye.
 Bye. Bye. Bye. Thank you.