SANS Storm Cast Highlights Malware, Supply Chain Attacks, and Critical Vulnerabilities

17 Jun 2026

malwarecybersecurityVHDXJavaScriptPowerShellWMIRemcosRATsupply_chain_attacksocial_engineeringOpenBSDPAP_authenticationvulnerabilityCopilotMicrosoftM365data_exfiltrationrace_conditiondefensive_strategies

The June 17, 2026, SANS Internet Storm Center Storm Cast covered a malware sample received as a VHDX disk image that auto-mounts in Windows, executing obfuscated JavaScript to launch PowerShell via WMI—a technique designed to evade endpoint protection by masking execution paths. The attack ultimately deployed Remcos RAT, a persistent remote access tool that bypasses some antivirus systems. A Python developer documented an attempted supply chain attack disguised as a job interview, where malicious code was provided under the pretext of a coding test; the developer mitigated risk by running it in an isolated virtual machine. A 27-year-old vulnerability in OpenBSD’s PAP authentication protocol was highlighted, allowing authentication bypass if a zero-length password was supplied. Microsoft patched a Copilot vulnerability where attackers exploited a race condition—unwrapped HTML responses during processing—to exfiltrate sensitive M365 data via image URLs. The episode emphasized defensive strategies like isolated development environments and vigilance against social engineering tactics targeting developers.