SANS Stormcast Wednesday, April 29th, 2026: Odd Vercel Header Usage; GitHub Vuln Patches; MSFT RDP Notification Bug - SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

Summary4 min read

SANS Stormcast Podcast Summary

Episode Title: SANS Stormcast Wednesday, April 29th, 2026: Odd Vercel Header Usage; GitHub Vuln Patches; MSFT RDP Notification Bug
Host: Johannes B. Ullrich
Date: April 29, 2026

Episode Overview

In this brief and information-packed episode, Johannes B. Ullrich delivers a concise summary of recent developments and unusual findings in cybersecurity. The episode focuses on:

Anomalous usage of an unusual Vercel-related header in honeypot traffic
Details of a quickly patched GitHub vulnerability in on-premises environments
A bug in Microsoft’s improved Remote Desktop Protocol (RDP) file warnings

Key Discussion Points & Insights

1. Odd Vercel Header Usage in Honeypots

[00:17] Johannes discusses recent requests observed in their honeypots involving a non-standard HTTP header: Xversell set bypass cookie
- This header appears related to Vercel's bypass functionality, which typically allows users to circumvent certain protection mechanisms (e.g., rate limiting) for development purposes.
- The header usage seen is unusual:
  - "They're using the Xpress hellsetbypass cookie header. So with the additional cookie add on and that's where it gets a little bit interesting." (Johannes, 00:36)
- Attackers seem to be sending this header to trigger the server to return a specific bypass cookie.
- The value being set is same site non secure, which is not a documented option. There are similar, documented settings like SameSite=None, but this usage is odd.
  - "Not 100% sure what they're after here. Could be that they're hoping that some cookies may leak the value that is defined for this header." (Johannes, 01:24)
- Requests are coming from open proxy servers, possibly to obscure sender identity.
- Johannes asks listeners for more insight, stating a lack of direct access to fully test this behavior.

2. GitHub Vulnerability in On-Prem Deployments

[01:49] WizResearch published a blog detailing a recently found GitHub vulnerability affecting on-prem installations (cloud users unaffected).
- Vulnerability arises from how GitHub’s proxy ("Bobble D") was cleaning up Git commands. It failed to properly sanitize special characters, enabling OS command injection.
  - "The fundamental problem that GitHub has is that it allows users to execute Git commands and, well, Git commands are operating system commands, and they have a number of options that can be passed to the command." (Johannes, 02:10)
- Specifically: The git pull command was implicated.
  - Bobble D proxy supposed to clean dangerous characters (like semicolons), but did so incorrectly.
- Rapid response:
  - Wiz reported the flaw, GitHub verified and patched it within hours. No evidence of active exploitation or data loss.
  - "Luckily, well, Wiz reported it and GitHub did verify and fix it almost within hours. So very quick response here from GitHub and as far as they're saying, the vulnerability had not been exploited at the time, so no user data was lost." (Johannes, 02:37)

3. Microsoft RDP File Warning Update Bug

[03:04] The episode touches on a new bug following Microsoft's Patch Tuesday updates.
- Patch aimed to provide users with clearer, more explicit warnings when opening .rdp (Remote Desktop Protocol) files because these are common phishing vectors.
- New issue: On systems with multiple monitors (and different display scaling), the warning text may overlap or display garbled, making it hard to read.
  - "These security warnings may sometimes show up a little bit garbled. This happens if you sort of have different displays with different display scaling. I guess it doesn't get the font size quite right and as a result some of the text may overlap, just making it more difficult to read." (Johannes, 03:19)

Memorable Quotes

On odd honeypot traffic:
- "They're using the Xpress hellsetbypass cookie header. So with the additional cookie add on and that's where it gets a little bit interesting." (Johannes, 00:36)
On unknown attacker goals:
- "Not 100% sure what they're after here. Could be that they're hoping that some cookies may leak the value that is defined for this header." (Johannes, 01:24)
On the GitHub vulnerability's nature:
- "The fundamental problem that GitHub has is that it allows users to execute Git commands and, well, Git commands are operating system commands..." (Johannes, 02:10)
On Microsoft’s scaling-related bug:
- "This happens if you sort of have different displays with different display scaling. I guess it doesn't get the font size quite right and as a result some of the text may overlap, just making it more difficult to read." (Johannes, 03:19)

Timestamps for Important Segments

00:17: Early mention and explanation of the odd Vercel header in honeypot traffic
01:49: Transition to GitHub vulnerability coverage
03:04: Microsoft RDP file warning bug coverage

Overall Tone & Style

Johannes maintains his usual conversational, informative tone—direct, educational, and inviting listener participation, especially regarding the Vercel header anomaly. The summary is delivered in the concise, practical style that characterizes SANS Stormcast episodes, focusing strictly on actionable or noteworthy cybersecurity developments.

Conclusion

A concise but rich briefing from Johannes B. Ullrich, this episode highlights emerging concerns in security monitoring, rapid response to vulnerabilities, and the real-world impact of post-update software bugs. Whether you’re monitoring for evolving attack patterns or just keeping up with patch management nuances, this Stormcast efficiently delivers critical, current information.

Loading summary

Transcript1 lines

[00:05]
A
Hello and welcome to the Wednesday, April 29, 2026 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ulrich, recording today from Jacksonville, Florida and this episode is brought to you by the SANS Edu Graduate Certificate Program in Incident Response. Well, diaries today is a quick write up I did on some requests we're seeing in our honeypots that use a little bit unusual header, the Xversell set bypass cookie header. Now this header is related to the bypass value that you can define as a user of Vercel that will essentially bypass some of the protection mechanisms like for example rate limiting. Now this is not an unusual feature for any kind of application firewall or such where particularly for developer purposes, you have the ability to essentially bypass at least some of the protection mechanisms. The value you would have to pass with the Vercel set bypass header, well, is random and it's something that the user can define and that does not appear to be really the use here because they're using the Xpress hellsetbypass cookie header. So with the additional cookie add on and that's where it gets a little bit interesting. So this header is used so that the first time you send a request you will set the bypass value and then the server is responding with a set cookie header to essentially set a cookie. And that's in particular useful for browsers that are being used here for testing because then the browser will automatically send the cookie and with that sort of retain the bypass feature here. The value they're sending here is same site non secure, which is not documented, but there are similar parameters particular same site none where you sort of specify that a cookie comes back with the none value for the same side attribute. Not 100% sure what they're after here. Could be that they're hoping that some cookies may leak the value that is defined for this header. I don't have access to a Vercel setup here myself to sort of test this and see how this would be working. If anybody has any more insight would be interested in hearing what the attacker may be accomplishing here. Also, these requests are being sent via open proxy servers and WizResearch published a blog post with details about a vulnerability in GitHub that they found. Now if you're a user of GitHub and you're just using GitHub's cloud solution, you're perfectly fine. If you happen to use the on prem option for GitHub, well then of course you need to patch the vulnerability is kind of interesting and it's nice of Wiz to sort of dive a little bit into what exactly happened here. The fundamental problem that GitHub has is that it allows users to execute Git commands and, well, Git commands are operating system commands, and they have a number of options that can be passed to the command. In this particular case, it was the git pull command that actually caused the problem. Now, the way GitHub deals with some of the problems arising from allowing users to run Git commands is that they run it through a proxy. They call it Bobble D. And this proxy is supposed to clean up some of the bad characters, essentially like semicolons and such, but didn't do so correctly in this case, which then led essentially to an OSCommand injection vulnerability that could be used to execute code on GitHub's servers. Luckily, well, Wiz reported it and GitHub did verify and fix it almost within hours. So very quick response here from GitHub and as far as they're saying, the vulnerability had not been exploited at the time, so no user data was lost. And one of the security improvements that I highlighted in this month's Microsoft Patch Tuesday updates was the addition of more elaborate warnings if you're adding an RDP file and if you're trying to then open the file. This has been often used for phishing, and that's sort of why Microsoft sort of improved the user interaction here. Well, they now published an update or an issue about this particular update that basically indicates these security warnings may sometimes show up a little bit garbled. This happens if you sort of have different displays with different display scaling. I guess it doesn't get the font size quite right and as a result some of the text may overlap, just making it more difficult to read well, and that's it for today. Thanks for liking, thanks for subscribing and thanks for recommending this podcast to others and talk to you again tomorrow. Bye.