Handler on Duty: Xavier Mertens
Threat Level: green
Podcast Detail
SANS Stormcast Wednesday, February 4th, 2026: Detecting OpenClaw; Synology telnetd Patch; More GlassWorm
If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9794.mp3
My Next Class
| Application Security: Securing Web Apps, APIs, and Microservices | Orlando | Mar 29th - Apr 3rd 2026 |
| Network Monitoring and Threat Detection In-Depth | Amsterdam | Apr 20th - Apr 25th 2026 |
Detecting and Monitoring OpenClaw (clawdbot, moltbot)
https://isc.sans.edu/diary.html/Detecting+and+Monitoring+OpenClaw+%28clawdbot%2C+moltbot%29/32678/#comment
Synology telnetd Patch
https://www.synology.com/en-us/releaseNote/DSM
GlassWorm Loader Hits Open VSX via Developer Account Compromise
https://socket.dev/blog/glassworm-loader-hits-open-vsx-via-suspected-developer-account-compromise
iTunes
MP3 Download
RSS Feed
Google
Podbean
Amazon Echo
YouTube
Spreaker
Spotify
Discussion
Login here to join the discussion.
| Application Security: Securing Web Apps, APIs, and Microservices | Orlando | Mar 29th - Apr 3rd 2026 |
| Network Monitoring and Threat Detection In-Depth | Amsterdam | Apr 20th - Apr 25th 2026 |
| Application Security: Securing Web Apps, APIs, and Microservices | San Diego | May 11th - May 16th 2026 |
| Network Monitoring and Threat Detection In-Depth | Online | Arabian Standard Time | Jun 20th - Jun 25th 2026 |
| Network Monitoring and Threat Detection In-Depth | Riyadh | Jun 20th - Jun 25th 2026 |
| Application Security: Securing Web Apps, APIs, and Microservices | Washington | Jul 13th - Jul 18th 2026 |
| Application Security: Securing Web Apps, APIs, and Microservices | Online | British Summer Time | Jul 27th - Aug 1st 2026 |
| Application Security: Securing Web Apps, APIs, and Microservices | Las Vegas | Sep 21st - Sep 26th 2026 |
Podcast Transcript
Hello and welcome to the Wednesday, February 4th, 2026 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich, recording today from Jacksonville, Florida. And this episode is brought to you by the sans.edu Graduate Certificate Program in Cyber Defense Operations. Well, yesterday I talked a lot about OpenClaw, so as a follow-up today, I wrote a quick post on how to detect, and also a little bit on how to secure OpenClaw. The detection comes thanks to Gnostic. Gnostic is a company that sort of works on products to secure AI usage. There are two scripts that they published. One is fairly straightforward. It just detects if OpenClaw is installed by looking for common locations associated with OpenClaw like configuration files and the like and the binary itself. The second part is, I think, more interesting, and that's OpenClaw telemetry. And what this does is if you have OpenClaw installed, OpenClaw telemetry will essentially log all the commands being executed by OpenClaw, all the prompts and basically all the interactions that the user may have with OpenClaw, but also interactions OpenClaw has with the various services connected to. And these can then be collected via Syslog and other tools. That's actually a plugin for Open Claw itself. So highly recommend this if you are using OpenClaw because it will give you more transparency in what actually happens. The remaining links are some links to OpenClaw documentation about how to secure it, how to run it in a sandbox, and then sort of some basic prompt hardening tricks that you can use to likely make it more difficult to exploit any prompt injection. Well, and remember, I think it was about a week or two ago where we had this critical flaw in Telnet D if it's installed with iNetD. Well, we now have a patch for a fairly popular system here, and that's Synology Network Storage Devices. So Synology released a new update of DSM, the operating system for its devices, and it addresses this flaw. Definitely install it and yes, make sure that Telnet is not actually running on the device. I'm not familiar enough with Synology at this point in time to know whether or not it is running by default, but I doubt it is running by default. Maybe something that you would have installed or at least configured manually. And well, we still have malicious Visual Studio Code extensions out there. The latest set was found by Socket.dev. They call it ClassWarm. Not sure how closely related to the original ClassWarm, but well, the approach is very similar. You basically have an existing extension from a respected developer who is then getting hijacked. Basically, the account is getting compromised. And these extensions are then, well, updated with malicious code. The developer in question here is called OORCZ. If I pronounce that, am I right? I'm just spelling the name here. There are four extensions at least that are affected here. Visual Studio Code Mind Map seems to be one of the more popular ones, but there's also an FTP, SFTP, SSH -SYNC extension that is affected by this. Luckily, they're not downloaded too frequently, sort of in the few thousand range here. But there's still something to be aware of that this is still an ongoing threat. Well, and Microsoft finally followed through on its initial announcement to disable TLS 10 and 11 for Azure Blob Storage. This was announced or scheduled many times before, well, at least two times before. But, well, now was the final deadline, February 3rd, and Microsoft actually pulled the switch. So if you're having problems connecting to Azure, you're probably using a very outdated TLS client. Well, and that's it for today. So thanks for listening. Thanks for liking and thanks for subscribing to this podcast. And as always, talk to you again tomorrow. Bye. May I End Thank you.
The Internet Storm Center is a community for everyone, so join the conversation
© 2026 SANS™ Internet Storm Center
Developers: We have an API for you! 