SANS Stormcast Wednesday, December 3rd, 2025: SmartTube Compromise; NPM Malware Prompt Injection Attempt; Angular XSS Vulnerability
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
SANS ISC Handlers
4.9 • 696 Ratings
🗓️ 3 December 2025
⏱️ 6 minutes
🧾️ Download transcript
Summary
SmartTube Android App Compromise
The key a developer used to sign the Android YouTube player SmartTube was compromised and used to publish a malicious version.
https://github.com/yuliskov/SmartTube/issues/5131#issue-3670629826
https://github.com/yuliskov/SmartTube/releases/tag/notification
Two Years, 17K Downloads: The NPM Malware That Tried to Gaslight Security Scanners
Over the course of two years, a malicious NPM package was updated to evade detection and has now been identified, in part, due to its attempt to bypass AI scanners through prompt injection.
https://www.koi.ai/blog/two-years-17k-downloads-the-npm-malware-that-tried-to-gaslight-security-scanners
Stored XSS Vulnerability via SVG Animation, SVG URL, and MathML Attributes
Angular fixed a store XSS vulnerability.
https://github.com/angular/angular/security/advisories/GHSA-v4hv-rgfq-gp49
Transcript
Click on a timestamp to play from that location
| 0:00.0 | Hello and welcome to the Wednesday, December 3, 2025 edition of the Sands and ended Storm Sunners Stormcast. |
| 0:12.3 | My name is Johannes Orich, recording today from Dallas, Texas. |
| 0:16.6 | And this episode is brought you by the Sands.edu graduate certificate program in penetration testing and ethical hacking. |
| 0:26.0 | Well, let's start with a story that kind of continues a threat that we had yesterday. |
| 0:31.6 | And this is about good applications going bad. |
| 0:36.2 | In this particular case, it's an Android TV app called |
| 0:40.4 | SmartCube that allows you to watch YouTube on Android TV sticks and boxes. Well, the problem here |
| 0:46.8 | was that apparently the developer's signature, their key, got compromised, and as a result, an attacker |
| 0:54.0 | was able to release a malicious version of the app. |
| 0:58.8 | Good side to this story is that it looks like Google's protection mechanisms have operated |
| 1:04.3 | as intended here. The way this entire incident was already discovered was that users got notifications on their |
| 1:13.4 | Android TV box that indicated that Google identified this particular application as malicious |
| 1:19.9 | and disabled it. The developer then stated that yes, that they believe that their key was compromised. Not sure if the response |
| 1:32.5 | was then exactly the right thing, but essentially what they're now going to do is that |
| 1:37.1 | they're no longer going to support the existing app. They are instead going to publish a new |
| 1:43.1 | app signed with a new key. |
| 1:46.5 | I'm not sure if they should have still released something to update the old app in order to kind of eradicate the malicious version that's out there. |
| 1:55.7 | But given that Google already identifies malicious, removed it from the store that may not have been necessary, |
| 2:02.6 | and publishing a new app is probably the cleanest way to then introduce the new key that was then |
| 2:09.4 | used to sign the new app. It's not known at this point how the key was compromised, but the developer did promise additional details |
| 2:22.1 | once they conclude the investigation. Now talking about continuing stories, we do have more |
| 2:30.8 | malicious NPM modules. This was a little bit different and sadly unlike in the prior story |
... |
Transcript will be available on the free plan in 18 days. Upgrade to see the full transcript now.
Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.
Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.
Copyright © Tapesearch 2025.