Podcast Detail

SANS Stormcast Monday, April 6th, 2026: TeamPCP Update and Axio Post Mortem; Fortinet 0-Day

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9880.mp3

previous
Podcast Logo
TeamPCP Update and Axio Post Mortem; Fortinet 0-Day
00:00

My Next Class

Click HERE to learn more about classes Johannes is teaching for SANS
Network Monitoring and Threat Detection In-DepthAmsterdamApr 20th - Apr 25th 2026
Application Security: Securing Web Apps, APIs, and MicroservicesSan DiegoMay 11th - May 16th 2026
Network Monitoring and Threat Detection In-DepthOnline | Arabian Standard TimeJun 20th - Jun 25th 2026
Network Monitoring and Threat Detection In-DepthRiyadhJun 20th - Jun 25th 2026
Application Security: Securing Web Apps, APIs, and MicroservicesWashingtonJul 13th - Jul 18th 2026
Application Security: Securing Web Apps, APIs, and MicroservicesOnline | British Summer TimeJul 27th - Aug 1st 2026
Application Security: Securing Web Apps, APIs, and MicroservicesLas VegasSep 21st - Sep 26th 2026

Podcast Transcript

 Hello and welcome to the Monday, April 6, 2026 edition
 of the SANS Internet Storm Center's Stormcast. My name is
 Johannes Ullrich, recording today from Jacksonville,
 Florida. And this episode is brought to you by the SANS.edu
 Graduate Certificate Program in Incident Response. Well,
 let's start today with a quick update on some of the TeamPCP
 and Axios events from the last two weeks. First of all, Team
 PCP can sort of publish another update and summary of
 what was new. A couple more systems and organizations that
 announced they were breached. However, it looks like for
 almost two weeks now or so. We don't really have any new
 compromise that is attributed to TeamPCP. These are systems
 that were compromised in the initial wave and, well, just
 now become known as compromised. There are also a
 number of links to write-ups and such with additional
 details about the embalmer and basically what exactly
 happened here, what was exfiltrated. A couple websites
 have assembled some lists of compromised organizations, but
 one word of caution here that they're probably rather
 incomplete and there are a lot more compromised
 organizations. Now, one organization that apparently
 was not compromised by TeamPCP was Axios. And we now have
 a postmortem here by Axios with additional details. I
 originally thought it was related to TeamPCP because it
 sort of made sense, the type of compromise and, of course,
 the timing. But apparently this was completely
 independent from TeamPCP and the Trivi exploit and all of
 that. Well, we now know it was actually pretty much social
 engineering and some of the better social engineering. The
 lead developer here of Axios, who is responsible for the
 particular NPM package that was compromised, was tricked
 into joining video call with some, well, as it turned out
 in hindsight, fake company. This company apparently was
 run by some North Korean actors and it went through
 quite a bit of length to actually introduce themselves.
 So the entire compromise started about two weeks
 earlier and then during the video call or just before it,
 there was a fake error message that basically tricked Jason
 here to install malware. This is sort of a little bit of
 tricky lesson to get across. And yes, you could say, hey,
 you know, don't update anything during a video call.
 But I know myself, you know, you get a link to a video
 call, whether it's Teams, Zoom, whatever, you know,
 there's about half a dozen of different video call software
 packages people routinely use. You yourself, maybe, you know,
 you can using one or two fairly regular, but, you know,
 then you get that link to the call, you click on the link
 and tells you, hey, you know, your copy of the video
 software that you haven't really used in quite a while
 needs updating before you can join that call. So some social
 engineering like this is really hard not to fall for.
 Now, there's also an updated a little bit more accurate
 timeline of what happened here with the Axios NPM package. It
 was actually detected very quickly. particularly after
 they released the compromised 0.3 version. Within a couple
 minutes, it was identified as compromised and sort of the
 incident response started. It took quite a while, quite a
 while is still relatively short, like a couple hours to
 then actually get it out of the NPM register. So that was
 a little bit kind of the delay here in incident response.
 Still amazingly fast compared to most other similar events
 that happened in the past. And with TeamPCP no longer being
 sort of at the top of the news, I'm going to go back to
 not really covering every single compromised NPM
 package. But just as a reminder that there's still
 plenty of that happening. We have a blog post by Safedep
 .io. They're talking about a number of compromised packages
 related to the CMS Strapi. They claim to be extensions
 for it and offer various features. At least that's what
 the description does. These don't impersonate any well
 known developers, but really just are looking for people
 who are trying to supplement their NPM packages for Strapi.
 And in case you're running out of things to do, just ask your
 organization to use more Fortinet devices because they
 published an urgent advisory this weekend on Saturday. This
 advisory releases a new hotfix for 40 client EMS. And
 apparently the vulnerability being addressed with this
 hotfix is already being exploited in the wild. And it
 does allow an unauthenticator to execute unauthorized code
 or commands via crafted requests. That's all it says
 here. And there will be an upcoming release that will
 also include this patch. Well, and this is it for today.
 Thanks for listening. Thanks for liking. Thanks for
 subscribing. And as always, talk to you again tomorrow.
 Bye.