SANS Stormcast – Thursday, March 12th, 2026: Zombie Zip

Episode Overview

In this episode, host Johannes B. Ullrich recaps recent vulnerabilities making headlines in the cybersecurity community. The core theme revolves around understanding the significance (or insignificance) of certain security issues, especially those that garner undue attention. Key topics include the "Zombie Zip" vulnerability, a bcrypt mishap in FreshRSS, and a case sensitivity bug in the popular npm package "simple-git." Ullrich emphasizes practical takeaways for defenders and developers.

Key Discussion Points & Insights

1. The "Zombie Zip" Vulnerability

[00:19 – 03:08]

Summary:
- Didier from the SANS team highlighted "Zombie zip" in his diary. This technique intentionally creates a ZIP file with mismatched compression indicators (claiming to be 'stored', but actually 'deflated').
- The result: The file is invalid and cannot be opened by standard unzip tools, nor can antivirus (AV) engines easily inspect its content.
Context & Technical Details:
- ZIP files specify their compression method; 'stored' means uncompressed, 'deflated' means compressed.
- Zombie zip abuses this indicator, leading to an unreadable file.
- This is not a new technique—similar tricks have existed for "decades" (e.g., bad checksums).
Practical Threat Level:
- Attackers would still need a custom loader for victims to actually open such files.
- If an attacker can manage this, they likely have easier or more potent techniques for obfuscating malware.
Memorable Quote:
- "If I can make you run a custom loader, well, I can probably just send you some encrypted malware or use something better than deflate in order to obfuscate the payload." — Johannes Ullrich [01:45]
Actionable Advice:
- Didier updated his "SIP utilities" to help analysts extract payloads from such files by ignoring the misleading compression indicator.
- Recommendation: "Don't make a big deal of it... It's really not a very useful or really applicable vulnerability in that sense, and I would really just ignore it for now." — Johannes Ullrich [02:29]

2. bcrypt Hashing Vulnerability in FreshRSS

[03:09 – 05:10]

Summary:
- FreshRSS (an RSS aggregator) suffered from a bcrypt usage issue that made authentication ineffective.
Technical Details:
- bcrypt only uses the first 72 bytes of plaintext to compute a hash.
- The application prepended large salts (longer than 72 bytes) to the password before hashing.
- If the salt is too long, the actual password gets ignored—allowing any password to work so long as the (oversized) salt matches.
- Seen before when email addresses (which can be long) are used as salts.
Technical Explanation:
- "If the salt is longer than 72 bytes, well then basically the password no longer matters. And this is exactly what happened here." — Johannes Ullrich [04:27]
Developer Guidance:
- Use random, short (e.g., 8-byte) salts.
- If bcrypt must be used, don't prepend salts to passwords; consider appending or using other hashes.
- "Just use another hashing algorithm—typically you have plenty available." — Johannes Ullrich [05:05]

3. Case Sensitivity Bug in simple-git (npm Package)

[05:11 – 06:02]

Summary:
- A newly identified vulnerability in "simple-git" exposes applications to arbitrary code execution due to improper filtering of parameters.
Technical Details:
- The package tries to filter out malicious parameters from Git commands.
- The filtering is done case-sensitively; Git itself is case-insensitive regarding parameters.
- Attackers can use uppercase to bypass checks and potentially overwrite files.
Industry Note:
- "Regular expression vulnerabilities like this are quite common. Definitely make sure that you use case sensitivity correctly and it's not always that you need case insensitive." — Johannes Ullrich [05:54]
Attribution:
- The vulnerability was reported by the AI company "codeant".

Notable Quotes & Memorable Moments

On Zombie Zip’s Real-World Impact:
- "It's really a stupid vulnerability in something…" [00:28]
- "Don't make a big deal of it... really just ignore it for now." [02:29]
On Salts and Hashes:
- "They ended up with salts being larger than 72 bytes and then they prepended the salt to the password hash and then the password stopped mattering. And basically any password, any password hash worked." [04:41]
On Case Sensitivity Pitfalls:
- "It really depends on the use case—that makes this a more complicated problem." [05:57]

Timestamps for Important Segments

| Timestamp | Topic | |-----------|--------------------------------------------| | 00:19 | Introduction to Zombie Zip | | 01:45 | Analysis of practicality (custom loader) | | 03:09 | FreshRSS bcrypt salt vulnerability | | 04:27 | Detailed explanation of bcrypt flaw | | 05:11 | simple-git npm vulnerability explained |

Conclusion

Johannes B. Ullrich’s concise delivery cuts through the hype on flashy but low-impact vulnerabilities, giving listeners context and actionable advice. The episode’s tone is pragmatic: stay aware, but don’t overreact to every "new" trick on the internet. Password hashing subtleties and secure input validation remain critical for developers. As always, the episode is geared toward practical awareness for defenders.

For more details or to follow up, visit the SANS Internet Stormcenter contact page.

SANS Stormcast – Thursday, March 12th, 2026: Zombie Zip

Episode Overview

Key Discussion Points & Insights

1. The "Zombie Zip" Vulnerability

[00:19 – 03:08]

Summary:
- Didier from the SANS team highlighted "Zombie zip" in his diary. This technique intentionally creates a ZIP file with mismatched compression indicators (claiming to be 'stored', but actually 'deflated').
- The result: The file is invalid and cannot be opened by standard unzip tools, nor can antivirus (AV) engines easily inspect its content.
Context & Technical Details:
- ZIP files specify their compression method; 'stored' means uncompressed, 'deflated' means compressed.
- Zombie zip abuses this indicator, leading to an unreadable file.
- This is not a new technique—similar tricks have existed for "decades" (e.g., bad checksums).
Practical Threat Level:
- Attackers would still need a custom loader for victims to actually open such files.
- If an attacker can manage this, they likely have easier or more potent techniques for obfuscating malware.
Memorable Quote:
- "If I can make you run a custom loader, well, I can probably just send you some encrypted malware or use something better than deflate in order to obfuscate the payload." — Johannes Ullrich [01:45]
Actionable Advice:
- Didier updated his "SIP utilities" to help analysts extract payloads from such files by ignoring the misleading compression indicator.
- Recommendation: "Don't make a big deal of it... It's really not a very useful or really applicable vulnerability in that sense, and I would really just ignore it for now." — Johannes Ullrich [02:29]

2. bcrypt Hashing Vulnerability in FreshRSS

[03:09 – 05:10]

Summary:
- FreshRSS (an RSS aggregator) suffered from a bcrypt usage issue that made authentication ineffective.
Technical Details:
- bcrypt only uses the first 72 bytes of plaintext to compute a hash.
- The application prepended large salts (longer than 72 bytes) to the password before hashing.
- If the salt is too long, the actual password gets ignored—allowing any password to work so long as the (oversized) salt matches.
- Seen before when email addresses (which can be long) are used as salts.
Technical Explanation:
- "If the salt is longer than 72 bytes, well then basically the password no longer matters. And this is exactly what happened here." — Johannes Ullrich [04:27]
Developer Guidance:
- Use random, short (e.g., 8-byte) salts.
- If bcrypt must be used, don't prepend salts to passwords; consider appending or using other hashes.
- "Just use another hashing algorithm—typically you have plenty available." — Johannes Ullrich [05:05]

3. Case Sensitivity Bug in simple-git (npm Package)

[05:11 – 06:02]

Summary:
- A newly identified vulnerability in "simple-git" exposes applications to arbitrary code execution due to improper filtering of parameters.
Technical Details:
- The package tries to filter out malicious parameters from Git commands.
- The filtering is done case-sensitively; Git itself is case-insensitive regarding parameters.
- Attackers can use uppercase to bypass checks and potentially overwrite files.
Industry Note:
- "Regular expression vulnerabilities like this are quite common. Definitely make sure that you use case sensitivity correctly and it's not always that you need case insensitive." — Johannes Ullrich [05:54]
Attribution:
- The vulnerability was reported by the AI company "codeant".

Notable Quotes & Memorable Moments

On Zombie Zip’s Real-World Impact:
- "It's really a stupid vulnerability in something…" [00:28]
- "Don't make a big deal of it... really just ignore it for now." [02:29]
On Salts and Hashes:
- "They ended up with salts being larger than 72 bytes and then they prepended the salt to the password hash and then the password stopped mattering. And basically any password, any password hash worked." [04:41]
On Case Sensitivity Pitfalls:
- "It really depends on the use case—that makes this a more complicated problem." [05:57]

Timestamps for Important Segments

Conclusion

For more details or to follow up, visit the SANS Internet Stormcenter contact page.

wavePod

SANS Stormcast Thursday, March 12th, 2026: Zombie Zip;

Summary

SANS Stormcast – Thursday, March 12th, 2026: Zombie Zip

Episode Overview

Key Discussion Points & Insights

1. The "Zombie Zip" Vulnerability

2. bcrypt Hashing Vulnerability in FreshRSS

3. Case Sensitivity Bug in simple-git (npm Package)

Notable Quotes & Memorable Moments

Timestamps for Important Segments

Conclusion

Summary

SANS Stormcast – Thursday, March 12th, 2026: Zombie Zip

Episode Overview

Key Discussion Points & Insights

1. The "Zombie Zip" Vulnerability

2. bcrypt Hashing Vulnerability in FreshRSS

3. Case Sensitivity Bug in simple-git (npm Package)

Notable Quotes & Memorable Moments

Timestamps for Important Segments

Conclusion