Handler on Duty: Jan Kopriva
Threat Level: green
Podcast Detail
SANS Stormcast Thursday, May 21st, 2026: GitHub Breach; Agentic Threat Intel Feed; NGINX Vuln; YellowKey Fix; Incomplete SonicWall Patch
If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9940.mp3
GitHub Breach; Agentic Threat Intel Feed; NGINX Vuln; YellowKey Fix; Incomplete SonicWall Patch
00:00
My Next Class
Click HERE to learn more about classes Johannes is teaching for SANS
GitHub Breach
https://x.com/github/status/2056949168208552080
Agentic Threat Intelligence Feed - VS Code Extensions
https://agentmesh.knostic.ai/extensions
More NGINX Vulnerabilities
https://x.com/nebusecurity/status/2057071579876753643
https://my.f5.com/manage/s/article/K000161307
Microsoft Publishes YellowKey Mitigation CVE-2026-45585
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45585
Incomplete Sonicwall Patch CVE-2024-12802
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0001
iTunes
MP3 Download
RSS Feed
Google
Podbean
Amazon Echo
YouTube
Spreaker
Spotify
Discussion
Login here to join the discussion.
| Network Monitoring and Threat Detection In-Depth | Online | Arabian Standard Time | Jun 27th - Jul 2nd 2026 |
| Network Monitoring and Threat Detection In-Depth | Riyadh | Jun 27th - Jul 2nd 2026 |
| Application Security: Securing Web Apps, APIs, and Microservices | Washington | Jul 13th - Jul 18th 2026 |
| Application Security: Securing Web Apps, APIs, and Microservices | Online | British Summer Time | Jul 27th - Aug 1st 2026 |
| Application Security: Securing Web Apps, APIs, and Microservices | Las Vegas | Sep 21st - Sep 25th 2026 |
| Network Monitoring and Threat Detection In-Depth | Amsterdam | Nov 9th - Nov 14th 2026 |
| Application Security: Securing Web Apps, APIs, and Microservices | Washington | Dec 14th - Dec 18th 2026 |
Podcast Transcript
Hello and welcome to the Thursday, May 21st, 2026 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich, recording today from Jacksonville, Florida. And this episode is brought to you by the SANS.edu Graduate Certificate Program in Cyber Defense Operations. Well, today can't help it but to continue to talk about supply chain issues. And first one here is a breach of GitHub. I usually don't talk about breaches, as I mentioned before, but this has sort of an important impact to, of course, everybody using GitHub. And well, that's pretty much everybody probably listening to this podcast, even if you're not personally a user of GitHub, pretty much a large percentage, I have no idea what percentage, but it's very large of open source software is maintained via GitHub. Now, while these, of course, are often public GitHub repositories, any modifications, of course, these repositories would be devastating. At this point, there is no indication that anything other than GitHub's own internal repositories leaked. They're talking about something like 3,800 different repositories, which sounds about right, you know, for a company the size of GitHub. Of course, the second question is what leaked with all of those repositories? What kind of secrets? What kind of source code? What kind of, you know, maybe issues talking about bugs and security vulnerabilities have leaked here? GitHub promised more details as the investigation evolves. But at this point, it appears that the root cause was, well, an individual developer using a malicious Visual Studio code extension. And Knostic, a company that focuses on securing Agendic AI has open sourced their own database of VSX extensions, skills, and also MCP. These databases that they're publishing here are essentially scanned with multiple tools in order to figure out how likely a particular your Visual Studio code extension is malicious. So definitely something that you can use. They publish an API as well, and the data is free to use. Just don't scrape their page instead of just use their API. And if you don't know how to use an API, well, your AI agent may be able to figure it out for you. And AI tools continue to be used to find vulnerabilities. The latest there's announcement by Nebula Security that they found another vulnerability in Nginx. Now this they call Nginx a pool slip, and it's a remote code execution vulnerability. Apparently, it does work with ASLR enabled, and they're giving 30 days until they will release an exploit. No additional details at this point. There was also a second vulnerability that was announced by Nginx or F5, the company behind Nginx. That one only affects very specific configurations with the JavaScript modules enabled. That, of course, significantly increases also the attack surface of Nginx. So keep Nginx updated. No word yet when exactly a patch will be released, but for the Nginx pull slip vulnerability, we shouldn't see an exploit, at least by Nebula, until 30 days after the patch is released. And Microsoft published a mitigation for the BitLocker security feature bypass vulnerability, also known as Yellow Key. That came out last week and essentially allows anybody to reboot a system that is protected by BitLocker without locking the disk and with that mounting the disk to an arbitrary boot operating system. Now, this workaround, and that's what it really sort of is, is not all that trivial to implement, sort of reading the instructions that you have to enter a pin and then, you know, on reboot in order to activate this workaround. It's easier to do if you're not yet encrypted. So definitely for new systems that you're configuring, this is definitely something that you probably should add sort of to your setup scripts until sort of the final fix is released. Well, hopefully with the next patch Tuesday. And SonicWall is warning that they're seeing exploitation of a vulnerability that they originally patched in January. But, well, many organizations haven't fully deployed the patch. The problem here is that it's not sufficient to just update the operating system, it's just to the firmware upgrade. Instead, you must also update the LDAP configuration. That's a little bit of more manual process. They're walking you through it in the advisory. So definitely a double check that you applied this patch correctly. Well, and this is it for today. So thanks for listening. Thanks for liking. Thanks for recommending. Thanks for letting me know what content you liked or didn't like in any particular episode and talk to you again tomorrow. Bye. Bye.
© 2026 SANS™ Internet Storm Center
Developers: We have an API for you! 