Podcast Detail

SANS Stormcast Thursday, May 21st, 2026: GitHub Breach; Agentic Threat Intel Feed; NGINX Vuln; YellowKey Fix; Incomplete SonicWall Patch

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9940.mp3

previous
Podcast Logo
GitHub Breach; Agentic Threat Intel Feed; NGINX Vuln; YellowKey Fix; Incomplete SonicWall Patch
00:00

My Next Class

Click HERE to learn more about classes Johannes is teaching for SANS

Podcast Transcript

 Hello and welcome to the Thursday, May 21st, 2026
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich, recording today from
 Jacksonville, Florida. And this episode is brought to you
 by the SANS.edu Graduate Certificate Program in Cyber
 Defense Operations. Well, today can't help it but to
 continue to talk about supply chain issues. And first one
 here is a breach of GitHub. I usually don't talk about
 breaches, as I mentioned before, but this has sort of
 an important impact to, of course, everybody using
 GitHub. And well, that's pretty much everybody probably
 listening to this podcast, even if you're not personally
 a user of GitHub, pretty much a large percentage, I have no
 idea what percentage, but it's very large of open source
 software is maintained via GitHub. Now, while these, of
 course, are often public GitHub repositories, any
 modifications, of course, these repositories would be
 devastating. At this point, there is no indication that
 anything other than GitHub's own internal repositories
 leaked. They're talking about something like 3,800 different
 repositories, which sounds about right, you know, for a
 company the size of GitHub. Of course, the second question is
 what leaked with all of those repositories? What kind of
 secrets? What kind of source code? What kind of, you know,
 maybe issues talking about bugs and security
 vulnerabilities have leaked here? GitHub promised more
 details as the investigation evolves. But at this point, it
 appears that the root cause was, well, an individual
 developer using a malicious Visual Studio code extension.
 And Knostic, a company that focuses on securing Agendic AI
 has open sourced their own database of VSX extensions,
 skills, and also MCP. These databases that they're
 publishing here are essentially scanned with
 multiple tools in order to figure out how likely a
 particular your Visual Studio code extension is malicious.
 So definitely something that you can use. They publish an
 API as well, and the data is free to use. Just don't scrape
 their page instead of just use their API. And if you don't
 know how to use an API, well, your AI agent may be able to
 figure it out for you. And AI tools continue to be used to
 find vulnerabilities. The latest there's announcement by
 Nebula Security that they found another vulnerability in
 Nginx. Now this they call Nginx a pool slip, and it's a
 remote code execution vulnerability. Apparently, it
 does work with ASLR enabled, and they're giving 30 days
 until they will release an exploit. No additional details
 at this point. There was also a second vulnerability that
 was announced by Nginx or F5, the company behind Nginx. That
 one only affects very specific configurations with the
 JavaScript modules enabled. That, of course, significantly
 increases also the attack surface of Nginx. So keep
 Nginx updated. No word yet when exactly a patch will be
 released, but for the Nginx pull slip vulnerability, we
 shouldn't see an exploit, at least by Nebula, until 30 days
 after the patch is released. And Microsoft published a
 mitigation for the BitLocker security feature bypass
 vulnerability, also known as Yellow Key. That came out last
 week and essentially allows anybody to reboot a system
 that is protected by BitLocker without locking the disk and
 with that mounting the disk to an arbitrary boot operating
 system. Now, this workaround, and that's what it really sort
 of is, is not all that trivial to implement, sort of reading
 the instructions that you have to enter a pin and then, you
 know, on reboot in order to activate this workaround. It's
 easier to do if you're not yet encrypted. So definitely for
 new systems that you're configuring, this is
 definitely something that you probably should add sort of to
 your setup scripts until sort of the final fix is released.
 Well, hopefully with the next patch Tuesday. And SonicWall
 is warning that they're seeing exploitation of a
 vulnerability that they originally patched in January.
 But, well, many organizations haven't fully deployed the
 patch. The problem here is that it's not sufficient to
 just update the operating system, it's just to the
 firmware upgrade. Instead, you must also update the LDAP
 configuration. That's a little bit of more manual process.
 They're walking you through it in the advisory. So definitely
 a double check that you applied this patch correctly.
 Well, and this is it for today. So thanks for
 listening. Thanks for liking. Thanks for recommending.
 Thanks for letting me know what content you liked or
 didn't like in any particular episode and talk to you again
 tomorrow. Bye.
 Bye.