Podcast Detail

SANS Stormcast Wednesday, May 13th, 2026: Microsoft Patch Tuesday; Large npm/pypi Compromise; Rubygems Attack

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9930.mp3

Microsoft Patch Tuesday; Large npm/pypi Compromise; Rubygems Attack

00:00

My Next Class

Click HERE to learn more about classes Johannes is teaching for SANS

Microsoft Patch Tuesday
https://isc.sans.edu/diary/32980

Tanstack npm and others compromised
https://socket.dev/blog/tanstack-npm-packages-compromised-mini-shai-hulud-supply-chain-attack

Ruby Gems Attack
https://x.com/maciejmensfeld/status/2054164602577940619

iTunes

MP3 Download

RSS Feed

Google

Podbean

Amazon Echo

YouTube

Spreaker

Spotify

Discussion

Network Monitoring and Threat Detection In-Depth	Online \| Arabian Standard Time	Jun 27th - Jul 2nd 2026
Network Monitoring and Threat Detection In-Depth	Riyadh	Jun 27th - Jul 2nd 2026
Application Security: Securing Web Apps, APIs, and Microservices	Washington	Jul 13th - Jul 18th 2026
Application Security: Securing Web Apps, APIs, and Microservices	Online \| British Summer Time	Jul 27th - Aug 1st 2026
Application Security: Securing Web Apps, APIs, and Microservices	Las Vegas	Sep 21st - Sep 25th 2026
Network Monitoring and Threat Detection In-Depth	Amsterdam	Nov 9th - Nov 14th 2026
Application Security: Securing Web Apps, APIs, and Microservices	Washington	Dec 14th - Dec 18th 2026

Podcast Transcript

 Hello and welcome to the Wednesday, May 13, 2026
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich, recording today from San
 Diego, California. And this episode is brought to you by
 the SANS.edu Graduate Certificate Program in
 Cybersecurity Leadership. Well today, is Microsoft Patch
 Tuesday. So let's start with a quick summary here. We got a
 total of 137 vulnerabilities being addressed by Microsoft.
 Now this is quite a large number, but in addition to
 this, we actually also got 127 chromium vulnerabilities being
 addressed in Microsoft Edge. Now when it comes to the
 Microsoft vulnerability, so the 137, we had 30 critical
 ones here. That's a fairly large number compared to what
 we saw in the past, but 14 of these 30, so pretty much half
 of them, do not require any customer action because these
 vulnerabilities are vulnerabilities in Microsoft
 Cloud systems. And as such, of course, there's nothing you
 have to do. Microsoft already took care of these for you.
 Now among the remaining critical vulnerabilities,
 there are couples of that caught my eye. One actually
 that I haven't listed in the diary is one in Outlook.
 That's a remote code execution vulnerability that could be
 triggered by just previewing an email, so no attachment
 that you need to open. There is also a vulnerability in the
 Microsoft single sign-on plugin for Jira and
 Confluence. Given all the news we had about supply chain
 issues and such, that's certainly something to watch
 out for. The other one that I thought was kind of
 interesting was remote code execution vulnerability in
 NetLogon. Now the NetLogon service has always been sort
 of a big target, definitely something where, as I post a
 diary, it's worth to spend some AI tokens for, to come up
 with a good exploit, at least from an attacker's point of
 view. So definitely get them patched on sort of the good
 news side here. None of the vulnerabilities that were
 patched this round are already being exploited or disclosed.
 So essentially no zero days this month. Well, usually on
 Patch Tuesday we heavily focus on patches from various
 vendors and, well, the urgencies here always, so
 patch, patch quickly. Today's podcast is a little bit
 different because, well, supply chain attacks appear to
 be escalating. Socket.dev has a blog post with the latest
 series of what they call Mini Shai-Hulud, sort of part of
 that TeamPCP ecosystem. So these attacks have extremely
 escalated over the last couple days across both NPM and PyPi.
 So both JavaScript and Python are affected here. Initially
 there were 84 compromised packages of TanStack. TanStack
 has millions of downloads, so it's one of the very popular
 NPM packages. But sadly, well, it didn't stay with TanStack.
 We then immediately got additional packages being
 affected here. And I'm just scrolling through some of
 them. Mr. Alley and OpenSearch. OpenSearch is one
 of the real big ones here that got affected, particularly
 when it comes to NPM. Guardrails, AI, another big
 packages. A lot of AdSqualk packages got affected by this
 latest set of attacks. So we literally have dozens and
 dozens of packages being compromised and more being
 added all the time. Because, well, what the compromise does
 then is it does actually exfiltrate more credentials
 from more GitHub repositories. More GitHub accounts are being
 compromised. And, well, with that the attack is just
 spreading. Apparently, the initial entry point here when
 it comes to TanStack was a GitHub action where a
 malicious actor submitted a pull request. And then the
 GitHub action basically sort of ran through the usual
 checks of the pull request, which also included running
 the code. And in doing so, well, some of the credentials
 here were compromised and that then led to the compromise of
 TanStack. There are also some versions of these supply chain
 compromised in the last few days where the attacker
 exfiltrated or assigned himself malicious tokens. And
 with these credentials then, well, basically spread more
 malicious code. But they also then put a little time bomb
 into the developer systems that basically wipes the
 system if the developer does attempt to actually revoke
 those tokens. So be careful if you're affected by any of
 this. And I have seen some reputable sources recommend
 not to patch any in particular NPM packages for the next
 couple of days. Maybe should be extended to PyPi.
 Personally, I'm a little bit ambivalent about this, but you
 definitely have to be careful. And, well, basically read in
 particular the socket.dev blog post, which has a lot of hints
 on, first of all, how to secure yourself better and how
 to detect if you're affected. By this most recent
 compromise. But sadly, well, it's not just NPM and Python
 that is affected by these types of attacks. There's also
 a separate wave of attacks apparently hitting Ruby.
 RubyGems announced that they are currently pausing signups
 for new accounts because they're flooded as posts on
 XStates by hundreds of malicious packages. Some
 attacks against RubyGems, but also some just containing
 outright malicious codes and exploits. So that's why they
 basically just paused submissions, paused new
 signups for now in order to deal with filtering and
 basically defending against these attacks they're
 currently seeing.
 So in short, well, that's why you should be careful for at
 least the next couple of days, but probably going forward
 with updating software components. And for now, if
 there is no urgent vulnerability that you need to
 address, you should probably just stick with the version
 that you have right now. Again, this affects at least
 NPM and PyPi. But as we see with RubyGems, there are other
 languages also being affected by these types of attacks. And
 it's not just a TeamPCP and the Mini-Shai-Hulud kind of
 attacks, but there's a variety of different attacks going on.
 Those are just the big ones that sort of make the news.
 Well, this is it for today. So thanks for listening. Thanks
 for liking. Thanks for subscribing. And thanks for
 any feedback about the content that I've sort of received
 over the time for this podcast. Always really helpful
 and very much appreciated. So thanks and talk to you again
 tomorrow. Bye.
 Bye.