SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

SANS Stormcast Wednesday, April 22nd, 2026: WAV Malware; GitHub OAUTH Phishing; Perforce Settings

7 min
Apr 22, 20267 days ago
Listen to Episode
Summary

This episode covers three cybersecurity threats targeting developers: WAV malware using steganography to hide executables, GitHub OAuth phishing exploiting notification delays, and insecure Perforce default configurations. All three represent supply chain attack vectors against software developers.

Insights
  • Attackers are increasingly targeting developers as a supply chain vector, using multiple platforms (GitHub, Perforce) to gain access to systems and credentials
  • Simple obfuscation techniques (base64 encoding + XOR cipher in audio files) can be effective at bypassing initial detection if they appear legitimate to users
  • OAuth's cryptographic strength is undermined by usability issues—users struggle to understand what privileges they're granting and to whom, making social engineering more effective
  • Time-of-check-time-of-use (TOCTOU) vulnerabilities in notification systems can be exploited to craft more convincing phishing attacks by modifying content after initial trigger
  • Default configurations in widely-used developer tools pose significant security risks; organizations must actively review and harden settings rather than relying on vendor defaults
Trends
Supply chain attacks increasingly focus on developer tools and platforms as high-value targetsSteganography and simple obfuscation techniques remain effective for initial payload delivery despite their simplicityOAuth-based attacks are growing as attackers exploit the gap between protocol security and user understandingNotification systems and timing-based vulnerabilities are being weaponized in social engineering campaignsDefault configuration weaknesses in enterprise software remain a persistent and exploitable vulnerability classMulti-stage attacks combining social engineering with legitimate platform features are more effective than traditional phishing
Topics
WAV file steganography and malware obfuscationBase64 encoding and XOR cipher encryptionGitHub OAuth token theft and phishingGitHub notification system vulnerabilitiesTime-of-check-time-of-use (TOCTOU) attacksOAuth usability and privilege assignment issuesPerforce version control security configurationDeveloper-targeted supply chain attacksDefault account and password reset vulnerabilitiesRepository synchronization security controlsMalware analysis and Python-based extraction toolsPE header analysis and executable recoveryFreemium software security models
Companies
GitHub
OAuth phishing attack exploits GitHub notifications and application authentication to steal developer tokens
Perforce
Version control software with insecure default configurations that pose risks to developer environments
SANS
Host organization of the podcast; sponsors the episode through SANS.edu Credit Certificate Program
People
Johannes Ulrich
Host of the Stormcast podcast episode, recording from Amsterdam
dde
Analyzed WAV malware with embedded executable and created Python scripts for extraction and key brute-forcing
Morgan Robertson
Authored blog post revealing insecure default configuration options in Perforce software
Quotes
"OAuth itself, cryptographically, technically a very solid protocol, suffers often from usability issues where it's not really all that clear to the user, even a little bit more sophisticated user like a developer."
Johannes Ulrich
"The attacker will create an issue and mention the victim inside the issue. Now this will trigger a notification for the victim but that of a little twist comes in. There actually a delay in the notification being created and GitHub actually retrieving the necessary data from the actual issue."
Johannes Ulrich
"The attacker here used a piece of malware an executable and base64 encoded it then used a simple xor cipher in order to encrypt it and essentially used the resulting data as the audio data in a dot wave file."
Johannes Ulrich
"It is not phishing in a sense where an attacker has to set up a fake GitHub clone or anything like this. Instead, the link then in that GitHub notification will entice the victim to basically connect to the attacker's application."
Johannes Ulrich
Full Transcript
Hello and welcome to the Wednesday, April 22, 2026 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ulrich, recording today from Amsterdam, Netherlands. And this episode is brought to you by the SANS.edu Credit Certificate Program in Purple Team Operations. dde today wrote up an interesting piece of malware that arrived as an audio file in this particular case we didn't have sort of classic steganography classic steganography usually takes an existing audio file that actually appears and actually is some music or some other recording and then it slightly modulates the existing audio file in order to encode a message this particular audio file that dde analyzed was created differently the attacker here used a piece of malware an executable and base64 encoded it then used a simple xor cipher in order to encrypt it and essentially used the resulting data as the audio data in a dot wave file this is fairly simple and it works because particularly in a .wav file essentially any byte value will be represented by volume and with that as audio now when you're listening to this particular audio file that the DA looked at all you sort of hear essentially noise so there isn't like you know any melody or anything like that but probably good enough in order to fool some people into believing that this is actually an audio file and then of course the malware on the receiving system is reversing the encryption and encoding and extracting the actual executable Of course Diddy has some Python scripts here to help you with this, including brute forcing the one byte XR key using the known plain text, which in this case is the PE header of the file, and then essentially just extracting the executable for further analysis if you want to learn more about this then refer to dda's diary from today which walks you through this step-by-step process and of course supply chain issues are still in everybody's mind or again in everybody's mind and with that well attacks against developers one vector how attacks against developers were often perpetrated is github and in particular github notifications there's a new blog post now by at sika if i pronounce this correctly who writes about how weaknesses in github notifications can make it easier for attackers to actually fool developers and then obtain oauth tokens on the developer's behalf the way this particular attack works is that the attacker will initially set up a github repository, the attacker will then also set up a GitHub application. And GitHub applications can use OAuth in order to authenticate users to the application and also use some of the privileges assigned to the user. The next step then is that the attacker will create an issue and mention the victim inside the issue Now this will trigger a notification for the victim but that of a little twist comes in There actually a delay in the notification being created and GitHub actually retrieving the necessary data from the actual issue. And that delay is like a couple seconds and it's long enough for the attacker to actually modify the issue and make the issue appear more genuine and something that the victim is more likely going to fall to. In this particular case, they make the issue kind of look like a notification of a breach of the developer's repository. When the developer then clicks on the link and tries to check what the notification is all about, they will be sent to a legitimate GitHub page. So, it is not phishing in a sense where an attacker has to set up a fake GitHub clone or anything like this. Instead, the link then in that GitHub notification will entice the victim to basically connect to the attacker's application, give the attacker OAuth privileges, which can then be abused by the attacker. I think in addition sort of to that little time of check, time of use issue here where notifications can be modified after they're being triggered. The other problem here is of a classic OAuth issue. OAuth itself, cryptographically, technically a very solid protocol, suffers often from usability issues where it's not really all that clear to the user, even a little bit more sophisticated user like a developer. it's often hard to tell what privileges you're actually assigning and who created the application and, well, what applications actually is that you are providing here with privileges. And I think that really contributes almost more here to the problem than the fact that you can tailor these notifications a little bit better than you could without that time of check time of use problem And the blog post by Morgan Robertson does reveal some insecure default configuration options that you will find in Perforce. Perforce is software that's used for version control, so essentially by software developers. Again, we do have attacks here possibly against software developers and supply chain. Perforce sort of follows the freemium model where some of the functionality you get in a free version, but fundamentally it is commercial software. now some of these default configurations are fairly classic where it basically does establish some default accounts it also makes it easy to review users on the system or do things like for example synchronize repositories and such without sufficient checks or reset passwords all of this is really just a configuration option so it's not that they had to like rewrite the software sort of fix it the latest version does have these issues fixed and does have more sensible defaults however if you are already using perforce then please take a look at the blog post and make sure that your particular install does use the correct configuration options well and this is it for today so thanks for listening thanks for liking thanks for subscribing and talk to you again tomorrow. Bye.