SANS Storm Cast Episode Highlights New PHP Webshell, GitHub Security Changes, and Cloudflare Private Access Tokens

The June 23, 2026, episode of the SANS Internet Storm Center’s Storm Cast, hosted by Johannes Ulrich in Jacksonville, Florida, highlighted a newly discovered PHP webshell on GitHub marketed as 'hard to detect,' though its evasion relies on being too recent for signature-based detection. The episode emphasized that webshells are typically deployed via unauthorized file upload or remote code execution vulnerabilities to establish persistent access on web servers. GitHub implemented security changes to its pull request workflows, restricting automatic execution of actions when pull requests originate from forks to mitigate supply chain attacks, though users can opt out with manual security measures. Cloudflare introduced private access tokens as a privacy-preserving alternative to CAPTCHAs, allowing browsers to prove human identity via digitally signed tokens without repeated challenges, though the standard remains incomplete. The discussion also covered a FortiGate firewall breach, where attackers exploited unpatched devices to intercept TLS traffic and harvest credentials, underscoring the risk of assuming only direct data on compromised gateways is exposed. The episode concluded by noting the absence of Thursday and Friday podcasts that week.