SANS Stormcast Tuesday, November 18th, 2025: Binary Expression Decoding. Tea NPM Pollution; IBM AIX NIMSH Vulnerability
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
SANS ISC Handlers
4.9 • 696 Ratings
🗓️ 18 November 2025
⏱️ 5 minutes
🧾️ Download transcript
Summary
Decoding Binary Numeric Expressions
Didier updated his number to hex script to support simple arithmetic operations in the text.
https://isc.sans.edu/diary/Decoding%20Binary%20Numeric%20Expressions/32490
Tea Token NPM Pollution
The NPM repository was hit with around 150,000 submissions that did not contain any useful contributions, but instead attempted to fake contributions to earn a new tea coin.
https://aws.amazon.com/blogs/security/amazon-inspector-detects-over-150000-malicious-packages-linked-to-token-farming-campaign/
IBM AIX NIMSH Vulnerabilities
IBM patched several critical vulnerablities in the NIMSH daemon
https://www.ibm.com/support/pages/node/7251173
Transcript
Click on a timestamp to play from that location
| 0:00.0 | Hello and welcome to the Tuesday, November 18th, 2025 edition of the Sands and then at Storm Center's Stormcast. My name is Johannes Ulrich, recording today from Jacksonville, Florida. |
| 0:18.1 | And this episode is brought to you by the sands.edu graduate certificate program in |
| 0:22.8 | penetration testing and ethical hacking. In diaries today, we got an update from Didi to his numbers |
| 0:31.1 | to hex script. The script as it existed so far, but it's just scanned input to four decimal numbers |
| 0:38.6 | and then converted them to hex. |
| 0:40.7 | This was useful to de-ovescate some scripts |
| 0:44.6 | that basically used like these sort of char functions and such |
| 0:49.0 | to decode decimal numbers into strings. |
| 0:53.6 | Well, last week we had a post by Xavier who looked at a |
| 0:59.7 | form book example that used a similar obfuscation trick, but instead of just having simple numbers, |
| 1:07.8 | well, there were some arithmetic expressions included as well in this |
| 1:12.8 | particular file. Now, Dedi updated his script in order to deal with these, as he calls them, |
| 1:18.9 | binary expressions, so they're not the binary number system instead, or base two. Instead, |
| 1:24.3 | there are just arithmetic expressions with two components, like in this |
| 1:29.7 | example, 79 plus 1 or 80 plus 7. So the new version of numbers to hex will now first resolve |
| 1:39.7 | these simple arithmetic expressions and then decode the numbers to hex. |
| 1:46.3 | And then you can feed them to additional scripts like to convert the hex into asky characters, |
| 1:52.3 | for example, in order to, as in this case, decode some PowerShell script. |
| 1:58.9 | So real handy if you have to do a lot of these decoding tasks and such to have these scripts around. |
| 2:05.8 | One story that really doesn't go away is attacks against the NPM ecosystem. |
| 2:11.3 | The latest attack is, well, at first, not really all that severe, |
| 2:15.9 | but shows yet another problem with this ecosystem. |
... |
Transcript will be available on the free plan in 3 days. Upgrade to see the full transcript now.
Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.
Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.
Copyright © Tapesearch 2025.