SANS Internet Storm Center Stormcast Highlights Linux Traffic Interception Methods and Recent Cyber Threats

22 May 2026

LinuxProxifierHTTP_PROXYHTTPS_PROXYiptablesnetworknamespacesGitHubsupplychainattackWindowsDefenderMicrosoftCiscoCVSSauthenticationbypassCI/CDpodcastcybersecurityvulnerabilitiesexploitscredentialssecretsexfiltrationprivilegeescalationRESTAPIadminaccessbotnamesCI-botauto-ciMemorialDay

The May 22, 2026, SANS Internet Storm Center Stormcast covered methods for intercepting application traffic in Linux, contrasting with Proxifier—a tool limited to macOS and Windows. Three Linux techniques were highlighted: setting HTTP_PROXY and HTTPS_PROXY environment variables, using iptables to redirect user-specific traffic, and leveraging network namespaces to isolate an application’s network configuration. The episode also reported a supply chain attack targeting 5,000 GitHub repositories, where harvested credentials were used to inject malicious GitHub Actions that exfiltrated secrets (AWS keys, SSH keys, JWTs, etc.) to IP 216.126.225.129. Microsoft released an out-of-band update for Windows Defender to patch actively exploited privilege escalation vulnerabilities (Redson and Undefend), while Cisco addressed a critical CVSS 10 authentication bypass flaw in Secure Workload’s REST API, enabling unauthorized admin access. The attack on GitHub repositories employed deceptive bot names like auto-ci or CI-bot to blend into CI/CD pipelines. The episode concluded with a reminder that the next podcast would air on May 26 due to the U.S. Memorial Day holiday.