SANS Stormcast Thursday, April 16th, 2026: AI Credential Scans; Microsoft Update Issues; RDP Warnings; GitHub Action Vulns; - SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

Summary4 min read

SANS Stormcast Daily Podcast — April 16, 2026

Host: Johannes B. Ullrich
Main Theme:
Today’s episode delivers a fast-paced roundup of current cybersecurity issues, primarily spanning the targeting of AI service credentials, Microsoft’s latest update complications, new RDP client defenses, an underdisclosed GitHub Actions vulnerability, and a recently resolved issue involving open source security tool developer accounts.

1. Surge in Credential Scans for AI Tools

Timestamps: [00:04] – [01:13]

Attackers’ New Focus:
- Credential and configuration files for AI tools (notably Openclaw, Claude, OpenAI) are now actively targeted by attackers scanning web servers.
- These files often contain API tokens and sensitive secrets, the compromise of which could result in expensive misuse (i.e. "large invoices from these AI vendors").
Prevention Advice:
- Protect secrets within configuration files rigorously.
- Set up proper billing alerts and usage limits with your AI vendors for early visibility and to cap potential losses if secrets are exposed.
- “Attackers will usually use the credentials contained in these files…which can lead to rather large invoices from these AI vendors.” (Johannes Ullrich, [00:36])

2. Microsoft Patch Tuesday: BitLocker and RDP Issues

Timestamps: [01:14] – [03:17]

BitLocker Recovery Key Problem

New Patch Impact:
- Some devices with a non-standard (“unrecommended”) BitLocker group policy may require users to enter a recovery key upon first restart after the latest update.
- Many users do not have their BitLocker key easily accessible, potentially locking them out temporarily.
Mitigation and Rollback Tools:
- Microsoft has provided advice and scripts (“known issue rollback”) to help users revert troublesome settings before updating.
Notable Quote:
- “You may have to enter your BitLocker key, which of course a lot of people don’t necessarily have just sitting around… it can be a little bit difficult to get to.” (Johannes Ullrich, [01:35])

Improved RDP Client Security

Vulnerability Remediation:
- New warning mechanisms will now display when a user opens an RDP file.
- The warning discloses if the file is digitally signed and which resources (like files or clipboard) the client might share with the remote server.
- Each connection attempt will prompt the user, increasing transparency and reducing the risk of silent attacks via RDP.
Memorable Insight:
- “The RDP file may instruct the RDP client to share certain files or the clipboard with the server. Malicious users have abused this feature.” (Johannes Ullrich, [02:20])

3. GitHub Actions Vulnerability in AI Integrations

Timestamps: [03:18] – [04:26]

Discovery:
- Security researcher Awan Guan identified prompt injection flaws in several GitHub Actions provided by leading AI vendors: OpenAI, Anthropic, Google, and Microsoft.
- These vulnerabilities could enable credential theft.
Disclosure Issue:
- Despite patching, none of these vendors assigned CVE numbers or issued prominent security advisories.
- The understated communication is especially risky, as many developers “pin” their dependencies to avoid unexpected updates after recent supply chain scares — making them less likely to receive fixes unless they know there’s a vulnerability.
Notable Quote:
- “The vulnerability itself is not a big surprise... the issue here is more that vendors didn’t disclose the vulnerability.” (Johannes Ullrich, [04:09])

4. Microsoft Account Suspensions Affecting Open Source Security Tools

Timestamps: [04:27] – [05:10]

Background:
- Some open source developers (notably Wireguard) had their Microsoft developer accounts suspended, impacting security-related tool releases (e.g., kernel-level VPN drivers).
- The suspensions resulted from miscommunication or issues with required account verifications—compounded by the absence of accessible Microsoft support.
- After public pressure and clarifications, accounts were reinstated and tools were properly signed.
Closure:
- “Wireguard was one of the affected developers, did release a new version and has had it now properly signed by Microsoft, so all their drivers should be working going forward.” (Johannes Ullrich, [05:03])

Notable Quotes and Highlights

“Attackers will usually use the credentials contained in these files…which can lead to rather large invoices from these AI vendors.” ([00:36])
“You may have to enter your BitLocker key, which of course a lot of people don’t necessarily have just sitting around… it can be a little bit difficult to get to.” ([01:35])
“The RDP file may instruct the RDP client to share certain files or the clipboard with the server. Malicious users have abused this feature.” ([02:20])
“The vulnerability itself is not a big surprise... the issue here is more that vendors didn’t disclose the vulnerability.” ([04:09])
“Wireguard… did release a new version and has had it now properly signed by Microsoft, so all their drivers should be working going forward.” ([05:03])

Episode Flow and Tone

The episode maintains a concise, urgent, and matter-of-fact tone.
Each segment is grounded in late-breaking, real-world security incidents.
Practical advice is interwoven with latest news, aiding listeners’ day-to-day security posture.

For More:
To contribute insights or questions, visit the Internet Storm Center contact form.

Loading summary

Transcript1 lines

[00:05]
A
Hello and welcome to the Thursday, April 16, 2026 edition of the SANS Internet Storm Centers Stormcast. My name is Johannes Ulrich, recording today from Stockheim, Germany and this episode is brought to you by the SANS EDU Graduate Certificate Program in Purple Team Operations. Configuration files containing secrets are a common target for attackers today. Typically, attackers are scanning web servers for commonly used configuration files. Like Env Guy noted in his Honeypot logs that attackers are now more and more scanning for files associated with AI tools. For example, attackers are scanning for files associated with Openclaw, Claude and OpenAI. Just like any configuration files, these files should not be kept in your document. Root attackers will usually use the credentials contained in these files files to steal tokens which can lead to rather large invoices from these AI vendors. So make sure that first of all the secrets are properly protected. But in addition, well set up the right billing alerts and limits for your particular AI tools so that way you are at least being alerted and hopefully are limiting the damage that's done in case some of these secrets will eventually delay and then we got some postscripts to yesterday's Microsoft patch Tuesday. Microsoft states that some devices with an unrecommended BitLocker group policy configuration might require to enter their BitLocker recovery key on the first restart after installing this update. So what Microsoft's saying here is that you may have to enter your BitLocker key, which of course a lot of people don't necessarily have just sitting around there, hopefully, and it can be a little bit difficult to get to. Well, Microsoft is also offering some advice on how to adjust your configuration prior to the update to avoid this problem. This issue may be related to a patch released on Tuesday that specifically addresses a BitLocker related problem. Microsoft also released a known issue, rollback. These are essentially little scripts that make it easy to apply their recommended solution to this problem. So again, it is maybe a little bit easier than following the steps that are outlined to revert the configuration before you are applying the update. The Tuesday Microsoft updates also included a patch that I pointed out for the RDP client, and one thing I mentioned there is that it's certainly possible for a victim to connect to an RDP server via a simple RDP URL that's included in an email or a webpage. Another option is an RDP file. These files may include additional configuration options. For example, the RDP file may instruct the RDP client to share certain files or the clipboard with the server. Malicious users have abused this feature. Once the update is installed Windows will display a warning after the user opens an RDP file for the first time. This warning will just explain to the user well, the danger of RDP files in general, but then for each new connection there will be a dialogue explaining first of all, is the RDP file digitally signed? That is an option, or is it not signed? And secondly, what resources the RDP file instructs the client to share with the server. So to give the user a little bit more insight into what is happening when they're actually opening this RDP file and security researcher Awan Guan found a new type of prompt injection vulnerability in various GitHub actions distributed by OpenAI vendors like Anthropic, Google and Microsoft. The problem isn't so much the prompt injection in this case, which leads to credential theft, so certainly serious. But prompt injections, well themselves aren't really all that new. All affected vendors also have updated affected actions and released patched versions. What Aonan, however noted is that none of these vendors has assigned a CVE number to the flaw or highlighted the security issue that is being addressed in this update. In particular, after recent supply chain issues of course around AI related libraries, many developers have become more cautious about updates and have carefully pinned versions and git hashes preventing automated updates from taking place. And this is even more important for vendors now to actually disclose any patched vulnerabilities. The vulnerability itself is not a big surprise. Again, prompt injection sort of comes with the territory here to some extent, but the issue here is more that vendors didn't disclose the vulnerability. Other vendors may be affected as well. These are just the vendors that Aonan has tested in this particular work. On Friday I talked about how a number of vendors who released open source security relevant tools like wireguard and other VPN service and the like have had issues with Microsoft suspending their developer accounts. After some forward and back, in part via social media, it turned out that affected developers either did misrequest to update their information with Microsoft or in some cases Microsoft may have, well, not properly processed just whatever information was submitted. This was in part required because these security relevant tools will need some of these newer kernel access methods and such, so that requires additional verification as to who actually publishes the software. Not having of course any kind of easy to reach support or so hasn't helped with the issue. The problem appears now to be resolved and wireguard actually Wireguard was one of the affected developers, did release a new version and has had it now properly signed by Microsoft, so all their drivers should be working going forward well. And that's it for today. Thanks for listening, thanks for liking, thanks for subscribing, thanks for recommending this podcast to others and talk to you again tomorrow. Bye.