Summary4 min read

SANS Stormcast Daily Cyber Security Podcast

Episode Summary – April 14, 2026

Host: Johannes B. Ullrich
Duration: ~5 minutes
Main Theme: Key cyber security incidents and advisories, focusing on EncystPHP webshell activity, compromise of the CPUID download site, OpenAI macOS certificate rotation due to Axios compromise, and a critical Axios HTTP library vulnerability.

Episode Overview

Johannes Ullrich provides a rapid rundown of four major information security events:

Recent scans and indicators for the EncystPHP webshell
Compromise of tools distributed via the CPUID website
OpenAI’s reaction to the Axios supply-chain incident
A critical header injection vulnerability in the Axios HTTP library

Each topic features actionable insights for administrators and security practitioners.

Key Discussion Points & Insights

1. EncystPHP Webshell Scans and Indicators

[00:32]

Ongoing Scans: Noted an uptick in scans for the EncystPHP webshell, especially after FreePBX vulnerability scans.
Detection Challenges: The webshell replaces existing files, making new or suspicious files less visible.
- Insight: “You won't really see necessarily new files… They are doing a good job in sort of fitting in on the system.” — Johannes ([01:05])
Compromised Accounts: The attackers often add accounts to /etc/passwd with preset passwords.
- Tip: Admins should check the passwd file for unfamiliar accounts as a possible compromise indicator.
Webshell Password:
- Password parameter named MD5 (though not required to actually hash).
- Hardcoded in the webshell’s source; potentially reused across attacks.
- Implication: Attackers search for pre-existing or poorly protected webshells.
- Practical Advice: If running FreePBX, check for these indicators and review Fortinet’s January advisories.

2. CPUID Website Compromise

[02:01]

Incident Details: The widely used CPUID tools were distributed with malware via injected download links on their site.
- Key Detail: “The website actually itself was not compromised in the sense that the file integrity did not change, but the attacker was able to inject links to the malicious versions of the tools.” — Johannes ([02:17])
Attack Vector: Clean tools bundled with a malicious DLL, which was side-loaded at execution.
- Analysis by Kaspersky (see their SecureList site) confirmed the attack.
Communication Shortfall: No formal incident notice on CPUID’s website or official channels as of recording.
Call to Action: “If you have downloaded any of their tools over the last few days then please double check that you didn't get infected by this malware.” — Johannes ([02:51])

3. Axios HTTP Client Malicious Update & OpenAI Certificate Revocation

[03:03]

Axios Supply Chain Attack: The GitHub workflow used by OpenAI for macOS builds included a compromised version of Axios.
- Risk: Secrets touched by the workflow, including macOS app signing keys, were potentially exposed.
- Implication: OpenAI is revoking old certificates and releasing newly signed applications.
- Advice: “You must download the new applications signed with the new secret key and certificate because, well, the old one will be revoked.” — Johannes ([03:33])

4. Axios Header Injection Critical Vulnerability

[03:38]

Vulnerability Overview: New flaw in Axios allows HTTP headers to be injected, especially impactful in cloud environments.
- Attack Consequence: Can enable access to cloud instance metadata, potentially leading to full compromise (CVSS 10/10).
Technical Detail: Caused by HTTP response splitting; triggered by sending header values with embedded newlines.
Mitigations: Advisory recommends filtering for newlines in header values; workarounds exist pending patching.
General Guidance: “Even if you're not using Axios, but you are… dealing with HTTP requests, maybe worth just looking at the advisory.” — Johannes ([04:22])

Notable Quotes & Memorable Moments

“They are doing a good job in sort of fitting in on the system.” ([01:05]) — On EncystPHP webshell stealth tactics.
“The only reason I sort of mention the post on X was that, well, it got sort of verified by Kaspersky VX Underground and a couple of others have verified that yes indeed malicious code was distributed via the CPUID website.” ([02:32])
“Any secrets that workflow touched may have been at risk... one of the secrets here was the secret key used to sign these applications.” ([03:17])
“Overall, this is something that there are workarounds available and they go over these workarounds in the advisory.” ([04:02])

Timestamps for Key Segments

EncystPHP webshell & FreePBX insights: 00:32 – 02:01
CPUID website compromise & malware distribution: 02:01 – 03:03
Axios supply chain attack / OpenAI macOS cert issue: 03:03 – 03:38
Axios header injection vulnerability: 03:38 – 04:22

Final Thoughts

This episode spotlights the persistent challenge of webshell detection, the increasing frequency and sophistication of software supply chain attacks, and the need for vigilance around open-source library vulnerabilities. Johannes’s recommendations focus on immediate actions for administrators—checking for specific compromise indicators, updating both software and mental checklists, and keeping up with security advisories from trusted organizations.

Loading summary

Transcript1 lines

[00:05]
A
Hello and welcome to the Tuesday, April 14, 2026 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ulrich, recording today from Stockheim, Germany and this episode is brought to you by the SANS Edu Graduate Certificate Program in Cybersecurity Leadership. Today I wrote about scans for an insist web shell that we observed are often done as a follow up to then scans for free PBX vulnerabilities, but also, well, just as parasitic scans looking for already installed web shells. Fortinet wrote about these particular web shells back in January, but we have just seen another scan for them. Fortinet also observed them being used against free PBX systems. So if you're running free pbx, you may want to take a look at some of the indicators of compromise or such for this particular web shell. Now what makes it a little bit more tricky to detect is that it replaces existing files, so you won't really see necessarily new files that are doing a good job in sort of fitting in on the system. They are however, at least in the scan set I have seen adding a number of additional accounts to the system. So if you are just checking your Etsy password file, you may see these specific account with their preset passwords defined as part of the attack. This particular webshell does use a password. Now the password parameter is called MD5, but it's not an MD5/ necessarily that's being sent here. In the example I've seen it had the format of an MD5 hash, but the string is just compared in the web shell. So they could basically use any string. But yes, the password is then in the source code. So if anybody would see some of these scans like I did and then download the particular web shell this attacker is trying to deploy, well you would have access to the password. So it's not that unlikely that attackers are looking for again pre existing web shell sort of in a parasitic fashion. Well then we have sadly another major website compromise. This time the website of CPU ID was Comprom Trojan. Copies of their very popular tools like Perfmon and such were offered via links on their site. According to post2.x that was done by one of the developers of CPU id, the website actually itself was not compromised the sense that the file integrity did not change, but the attacker was able to inject links to the malicious versions of the tools. There's also a good write up by Kaspersky on their Secure List site about this incident. They analyzed the malware and essentially the malware itself was well first of all a valid copy of the respective tool that you would have downloaded from the actual site. But then they added a malicious DLL that was side loaded into the tool and as a result it would then execute the malicious code. Sadly the cpuid.com website as far as I can tell has so far really nothing on their side noting this incident. Also nothing on the official CPU ID account. The only reason I sort of mention the post on X was that well it got sort of verified by Kaspersky VX Underground and a couple of others have verified that yes indeed malicious code was distributed via the CPU ID website. So if you have downloaded any of their tools over the last few days then please double check that you didn't get infected by this malware. And as a result of the Axios HTTP client library compromise, OpenAI now has to re release its macOS applications. The problem here is that GitHub workflow that OpenAI uses to build these macOS applications used a compromised copy of the Axios HTTP client library. As result any secrets that workflow touched may have been at risk. And well, one of the secrets here was the secret key used to sign these applications. So as a result they're rolling certificates. And now you must download the new applications signed with the new secret key and certificate because, well, the old one will be revoked and sticking with the Axios library. Here for another story. There's also a new vulnerability in that library that you may want to address, and this one is kind of an interesting vulnerability. It allows basically to inject headers which can then particularly in cloud environments, which of course are often used for this kind of application. It can be used to basically steal metadata service data from your cloud virtual machine. And that of course can then lead to a full system compromise, which is why this is rated as a full 10 on the CVSS scale. Overall, this is something that there are workarounds available and they go over these workarounds in the advisory. Essentially you have to make sure that any headers you're setting don't sort of have this HTTP response splitting pattern with new lines embedded in the header value. That's kind of what sort of triggers this particular vulnerability. Interesting vulnerability I find. Definitely, even if you're not using Axios, but you are sort of creating HTTP requests and dealing with HTTP requests. Maybe worth just looking at the advisory. Well, and this is it for today. Thanks for listening, thanks for liking and subscribing and always thanks for recommending this podcast to others and leaving good reviews and talk to you again tomorrow. Bye.