February 2026 Sans Internet Storm Center Stormcast Covers Dino Wiper, LLM Passwords, VS Code Extensions, and VoIP Phone Vulnerability

The February 20, 2026, Sans Internet Storm Center Stormcast covered four cybersecurity topics. First, a diary by SANS.edu graduate John Mudas analyzed Dino Wiper, malware discovered in Polish power plants. The wiper, attributed to a nation-state actor, deletes data by overwriting files with pseudo-random noise generated via a non-obfuscated algorithm, simplifying reverse engineering. Second, security firm Erecular found large language models (LLMs) generate deterministic, non-cryptographically random passwords when prompted, with some commonly suggested passwords already observed in real-world breaches. Third, Ox Research identified vulnerable Visual Studio Code extensions exposing local HTTP APIs to cross-origin JavaScript attacks, enabling malicious websites to access developer code. Four extensions were highlighted, with two requiring additional user interaction (e.g., modifying settings.json or opening a malicious README.markdown). Finally, Rapid7 disclosed a stack-based buffer overflow in Cranstream GXP600 VoIP phones, allowing unauthenticated root access. The flaw was patched but poses risks for lateral network movement.