SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

SANS Stormcast Friday April 24rd, 2026: Apple Update; Bitwarden Compromise; ASP.NET Core Patch

7 min
Apr 24, 20265 days ago
Listen to Episode
Summary

This episode covers three critical security vulnerabilities: an Apple iOS/iPadOS patch fixing a notification deletion flaw exploited by law enforcement, a supply chain compromise of Bitwarden's CLI tools via GitHub credential theft linked to the Checkmarks exploit, and an emergency Microsoft ASP.NET Core cryptographic signature verification vulnerability requiring application re-release.

Insights
  • Operating system messaging components often fail to meet the encryption standards of end-to-end encrypted applications, creating persistent artifacts that can be recovered by law enforcement or attackers
  • Supply chain attacks are cascading: the Checkmarks compromise led directly to Bitwarden compromise through stolen GitHub credentials, demonstrating how one breach enables secondary attacks
  • Single-vulnerability Apple patches typically indicate active exploitation in the wild, even when not explicitly documented by Apple
  • Cryptographic signature verification flaws enable padding oracle attacks that allow attackers to impersonate users, requiring full credential rotation and application re-release
  • Developers must monitor dependencies and delay updates during active compromise investigations to avoid deploying malicious code
Trends
Supply chain attacks targeting developer credentials and build infrastructure are becoming multi-stage campaignsLaw enforcement capabilities in recovering encrypted messaging artifacts are driving security fixes in mainstream OS platformsOperating system components designed without threat modeling for end-to-end encryption create persistent security gapsGitHub credentials are high-value targets for attackers seeking to compromise open-source and commercial software projectsEmergency patches for cryptographic vulnerabilities require coordinated re-release cycles across dependent applicationsPassword managers and developer tools are increasingly targeted in supply chain attacks due to their access to sensitive credentials
Topics
iOS/iPadOS notification center vulnerability and deletion artifactsSignal encrypted messaging and notification handlingBitwarden password manager CLI compromiseCheckmarks tool supply chain attackGitHub credential theft and developer account compromiseMicrosoft ASP.NET Core data protection library vulnerabilityPadding oracle cryptographic attacksSupply chain security and malware deploymentEnd-to-end encryption and operating system integrationCredential rotation and incident responseBrowser plugin security in password managersLaw enforcement message recovery from notificationsMalware infrastructure and attack attributionNuGet package updates and .NET application patchingDeveloper tool security and build pipeline compromise
Companies
Apple
Released emergency patch for iOS/iPadOS notification deletion vulnerability exploited by FBI to recover Signal messages
Bitwarden
Password manager CLI tools compromised via GitHub credential theft in supply chain attack linked to Checkmarks exploit
Microsoft
Released emergency ASP.NET Core data protection library patch for cryptographic signature verification vulnerability
Signal
End-to-end encrypted messenger affected by iOS notification artifact retention; messages recovered by law enforcement
GitHub
Developer credentials stolen from GitHub workers used to compromise Bitwarden and Checkmarks build infrastructure
Checkmarks
Developer tool compromised in supply chain attack; malware stole GitHub API keys and other credentials from developers
Socket.dev
Security research firm that uncovered both Checkmarks and Bitwarden supply chain compromises and published analysis
FBI
Law enforcement agency recovered partial Signal messages from undeleted iOS notification artifacts in criminal invest...
NuGet
Package repository where Microsoft ASP.NET Core data protection library update is available for download
People
Johannes Ulrich
Host recording from Amsterdam, Netherlands discussing three major security vulnerabilities and supply chain attacks
Quotes
"a common problem with secure messengers that if they are using sort of these built operating system messaging components that these components may well at least not encrypt the messages to the same standard as the originating application"
Johannes UlrichEarly in episode
"if you are affected by either of these compromises, expect all of your GitHub keys and other credentials to be stolen"
Johannes UlrichMid-episode
"probably be rather better safe than sorry and double check when you last updated them what some of the versions are and probably refrain from updating these components for the next couple days"
Johannes UlrichBitwarden discussion
"any keys and such that you used in your application may have been compromised"
Johannes UlrichASP.NET Core patch discussion
Full Transcript
Hello and welcome to the Friday, April 24, 2026 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ulrich, recording today from Amsterdam, Netherlands. And this episode is brought to you by the SANS.edu graduate certificate program in incident response. Today I wrote a quick diary about a patch that Apple released yesterday. This patch fixes a single vulnerability in iOS and iPadOS. And while it's not unusual for Apple to release these sort of single vulnerability updates, these updates are usually reserved for currently exploited vulnerabilities. and Apple's description of the vulnerability does not actually note that it's already exploited. On the other hand, well, the nature of the vulnerability, it does describe it as a vulnerability in the notification center where notifications that are marked for deletion are not actually deleted. And exactly this particular vulnerability was noted in a press description of a recent criminal case in which the FBI was able to recover at least partial signal messages by looking at these notifications that were not deleted. So and so far it is certainly already an exploited vulnerability and also not a terribly difficult to exploit vulnerability It a common problem with secure messengers that if they are using sort of these built operating system messaging components that these components may well at least not encrypt the messages to the same standard as the originating application but also that artifacts of sending messages or receiving messages may often be retained in these additional operating system components as they're usually not designed sort of for these threat models that these end-to-end encrypted messengers are often designed for. So this isn't fundamentally new and in Signal you had the option to disable notifications but now Apple also fixed the bug slash vulnerability that the notification artifacts were not necessarily deleted even though the application marked them as to be deleted. And yesterday I talked about the compromise of the checkmarks kicks tool. Well, today we got our second victim of the same campaign, possibly as a follow-on to the checkmarks compromise, and that's Bitwarden. Bitwarden, the password manager, was compromised. In particular, the command line tools were compromised. This compromise happened by actually compromising GitHub worker. Now, part of the checkmarks compromise was to install malware that would recover and steal credentials like GitHub API keys So it very possible and likely that the Bitwarden developer here was affected by the checkmarks compromise even though I haven seen that confirmed yet What is, however, confirmed is that both compromises use identical infrastructure, identical malware that is being deployed. So if you are affected by either of these compromises, expect all of your GitHub keys and other credentials to be stolen. This particular malware does not necessarily go after any secrets stored in Bitwarden. But of course, that could change at any time. And definitely something to be aware of if you're affected by a compromise of the Bitwarden command line tools. other parts of bitward don't appear to be affected like browser plugins and so on but still probably be rather better safe than sorry and double check when you last updated them what some of the versions are and probably refrain from updating these components for the next couple days at least until we really know all the details and the real impact and scope of this compromise haven't seen anything official from Bitwarden yet but again it's a developing story so may not have spotted the right blog post or where they sort of told their side of the story what exactly happened so far I base it mostly on what socket.dev wrote in their blog post well and they're also the ones that uncovered the check marks exploit yesterday Well and then we got an emergency update from Microsoft for ASP the data protection library. If you download that from Uget, you should upgrade. Now, this only really affects developers who are developing for .NET. They, of course, must release new applications. The problem with this library was that it didn't verify some of the cryptographic signatures correctly, which did allow an attacker to essentially spoof other users using a padding Oracle exploit. They're comparing it to a vulnerability patched back in 2010, MS-10-70. That apparently fixed a similar vulnerability. So apply the update. It's available now. And yes, you must re-release your applications that used the vulnerable library. And also you must rotate credentials because, well, any keys and such that you used in your application may have been compromised. Well, this is it for today. So thanks for subscribing, liking, and just a quick note. due to travel i probably will not be releasing a podcast on monday depends a little bit on how late i get in on sunday but most likely it will be too late in order to still record a podcast for monday