Summary4 min read

SANS Stormcast Episode Summary

Date: April 28, 2026
Host: Johannes B. Ullrich
Episode Theme: Updates on recent cybersecurity threats, supply chain attack follow-ups, and newly disclosed high-impact vulnerabilities, with a focus on TeamTCP attacks, Citrix XenServer, and a new Windows RPC (Phantom RPC) issue.

Main Theme Overview

In today’s episode, Johannes Ullrich provides a concise but content-packed review of the newest threats and discoveries in cybersecurity. He focuses on ongoing supply chain attacks (notably stemming from TeamTCP incidents), Citrix XenServer’s unpatched vulnerabilities, and a fresh privilege escalation risk dubbed "Phantom RPC" in Windows systems. The episode is aimed at security professionals needing actionable, up-to-date advice.

Key Discussion Points & Insights

1. Update on TeamTCP/Checkmarx/Bitwarden Supply Chain Attacks

[00:20]

Supply Chain Attacks Are Persisting: Ullrich revisits last week’s coverage of supply chain attacks impacting Checkmarx and Bitwarden.
New Development:
- Entire GitHub repository for Checkmarx was leaked as part of the incident.
- "They don't state how severe this is, if there are any secrets in this GitHub repository or not, but they do state that this all is really sort of just follow on left over from an attack that started March 23." (Johannes, 00:35)
Attack Timeline:
- Originates from an event on March 23; recent repository leak is now linked to it.
Broader Impact:
- Illustrates the resilience and evolving nature of supply chain attacks.

2. OpenVSX Malware Discovery via Socket.dev

[01:15]

Socket.dev published research highlighting 73 malicious OpenVSX extensions.
Attack Vector:
- Extensions link to Classform, a credential exfiltration platform.
Impact on Developer Security:
- "Again, you know, more opportunities here for developers to lose their credentials and with that sort of new entry points being found by attackers for additional supply chain attacks." (Johannes, 01:26)
Threat Cycle:
- Malicious extensions can compromise a developer of a major package and reignite the attack pattern.

3. Citrix XenServer/XAPI: 89 Unpatched Vulnerabilities

[01:51]

Security researcher Jakob Wolfhackel uncovers and publishes details of 89 vulnerabilities in Citrix XenServer’s API ("XAPI").
Disclosures:
- Very limited notice to XCP-ng project (the open source fork) or to Citrix.
- "There are also no patches or anything available from Citrix themselves." (Johannes, 02:17)
Vendor Response:
- Links Citrix’s current inactivity to previous patterns; the owning group (Cloud Software Group) has a history of not acknowledging, downplaying, or proactively seeking vulnerabilities.
- "Essentially the same vulnerability exists in several spots of the code and...the Cloud Software Group hasn't really sort of gotten around or put the resources behind actually finding these vulnerabilities..." (Johannes, 02:38)
Advice to Users:
- Limit access to the XAPI as a stopgap.
- Assume compromise: "You should assume compromise as these vulnerabilities have been around basically since the beginning of Citrix Xen Server and well weren't really all that terribly difficult to find." (Johannes, 03:10)
Discovery Method:
- No use of AI; vulnerabilities found via traditional methods.

4. 'Phantom RPC' – New Windows Architectural Issue

[03:32]

New Kaspersky Blog Post: Disclosure of an inherent architectural risk in Windows RPC, termed "Phantom RPC."
Attack Mechanism:
- Attacker sets up a fake RPC service when a client attempts to connect to a non-existent RPC.
- The malicious service can trick the client into executing code as another user.
Nature of Risk:
- Privilege escalation vulnerability (not remote code execution).
Quote:
- "The attacker is establishing a malicious version of that RPC service and then essentially tricking the client connecting to it to execute code as another user." (Johannes, 03:59)
Challenges:
- Fixing this is tough due to Windows’ legacy compatibility requirements.
- No provisions exist yet for better authentication of RPC services.

5. Quick Mentions (Patch Now!)

[05:00]

Pi-hole vulnerability: Urges listeners to patch immediately.
Linux escalation vulnerability: Not as severe as Phantom RPC but worth tracking.

Notable Quotes & Memorable Moments

On supply chain attack cycles:
- "Once they hit developer for a major package then of course they can start the cycle all over again." (Johannes, 01:32)
Vendor inaction on vulnerability disclosure:
- "The Cloud Software Group hasn't really sort of gotten around or put the resources behind actually finding these vulnerabilities more proactively..." (Johannes, 02:38)
On Windows RPC privilege escalation:
- "A client may try to reach out to an RPC service that forever reason does not exist. The attacker is establishing a malicious version..." (Johannes, 03:50)

Timestamps for Important Segments

| Time | Topic | |---------|------------------------------------------------| | 00:20 | TeamTCP/Checkmarx new repo leak details | | 01:15 | Malicious OpenVSX extensions by socket.dev | | 01:51 | Citrix XenServer 89 unpatched vulnerabilities | | 03:32 | Phantom RPC vulnerability in Windows | | 05:00 | Quick mentions: Pi-hole and Linux patches |

Summary Table

| Topic | Urgency/Action | More Info | |-----------------------|--------------------------------------------------|----------------------------| | TeamTCP attack links | Be alert for supply chain risks/updates | Checkmarx repo leak | | OpenVSX extension malware | Audit and avoid risky extensions | socket.dev blog | | XenServer vulnerabilities | Limit API exposure, patch when available | wolfhackel.com blog | | Phantom RPC | Monitor for updates on privilege escalation risk | Kaspersky blog | | Pi-hole & Linux bugs | Patch promptly | - |

Closing Notes

Johannes maintains his signature direct, pragmatic tone, focusing on actionable takeaways for security practitioners. This episode underscores the persistent, evolving nature of supply chain and platform threats, and the need for both proactive defense and rapid patching.

"That's it for today and talk to you again tomorrow." (Johannes, 05:30)

Loading summary

Transcript1 lines

[00:05]
A
Hello and welcome to the Tuesday, April 28, 2026 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ulrich Recogni from Jacksonville, Florida and this episode is brought to you by the SANS EDU Graduate Certificate Program in Industrial Control System Security Candidate wrote a quick update on the latest developments in Team TCP style attacks and of course one of the big developments last week was checkmarks and a couple of the other companies affected by this Bitwarden. I mentioned both last week. Now for checkmarks there is one kind of interesting new development that apparently the entire GitHub repository was leaked as part of the attack. They don't state how severe this is, if there are any secrets in this GitHub repository or not, but they do state that this all is really sort of just follow on left over from an attack that started March 23. So about a month ago they wrote back then about this attack on March 23rd, but now they basically linked those two attacks. And yes, that's sort of one of the big news items here just in general as far as sort of no current state of supply chain attacks go. We also have a new blog post by socket.dev and they're writing about 73 different OpenVSX extensions that they found that basically link to Classform which is well, typical credential exfiltration. So again, you know, more opportunities here for developers to lose their credentials and with that sort of new entry points being found by attackers for additional supply chain attacks once once they hit developer for a major package then of course they can start the cycle all over again. Finally have some bad news for users of Citrix Xen Server or the Xapi, which is the API that comes with Xen Server. Researcher Jakob Wolfhackel did release a blog post outlining 89 different vulnerabilities that Jakob discovered in Citrix Xen Server. There has been very limited notice provided to the XCPNG project which is the open source implementation of this. There was no notice really provided about this. So there are also no patches or anything available from Citrix themselves. In part this was due to some of the prior behavior of the Cloud Software Group, which is the private equity fund that owns Citrix Xcenser. By not acknowledging researchers or really trying to downplay vulnerabilities. Remember for example the famous Citrix Split which sort of keeps reoccurring in part because, well, essentially the same vulnerability exists in several spots of the code and well, the Cloud Software Group hasn't really sort of gotten around or put the resources behind actually finding these vulnerabilities more proactively overall as a user of Citrix xcend Server, well hopefully there will be an update available soon. But at this point really best thing you can do probably is limit access to the API and with that hopefully well reduce at least the likelihood of being compromised. On the other hand, the blog post by Jakob also points out that you should assume compromise as these vulnerabilities have been around basically since the beginning of Citrix XCEN server and well weren't really all that terribly difficult to find. There is no note here as far as I have been seeing it about any use of AI or so in finding these vulnerabilities they seem to have been found well such a good old fashioned way. But while it's not just cigarettes users that have to worry about unpatched vulnerabilities being disclosed, we also have a blog post by Kaspersky that disclosed an architectural issue with Windows rpc. They're calling it Phantom rpc. So RPC services are dealing with a lot of these sort of system background kind of stuff in Windows and have the ability to act as another user that's being abused here by providing a non existing RPC service. So exactly what happens here is that a client may try to reach out to an RPC service that forever reach out reason does not exist. The attacker is establishing a malicious version of that RPC service and then essentially tricking the client connecting to it to execute code as another user. That's sort of the overall trick here is of course a lot more behind this. If you're interested in the details, take a look at the blog post. It's a privilege escalation vulnerability. So nothing sort of remote code execution or such that we had of course in RPC services before. But still an interesting vulnerability and we'll have to see how Microsoft will address this given that currently there's sort of no provision to actually better authenticate any of the RPC services. They have been around forever. So there's also a huge backward compatibility problem here. Well and that's it for today. Awesome vulnerability. I didn't get to cover in PI hole so definitely get that patch and also broach escalation vulnerability in Linux, but it doesn't sound as severe as Phantom rpc. So that's it for today and talk to you again tomorrow. Bye.