Hello and welcome to the Wednesday, June 3, 2026 edition of the Sands Internet Storm Center's Stormcast.

My name is Johannes Ulrich, recording today from Jacksonville, Florida.

And this episode is brought you by the Sands.edu credit certificate program in cyber security

engineering. Savier today wrote about a new wave of phishing emails that contain SVG files.

SVG files typically open in the browser, and that's the intent here. The SVG file format, well, it's really meant to sort of embed images inside HTML, XML.

It's an XML format that basically contains vector graphics.

However, in this particular case, well, it doesn't actually contain any graphics.

Instead, inside of the SVG tag,

we do have good old JavaScript. So the intent here is really to use the SVG file as sort

of a vessel in order to smuggle JavaScript into an environment, hopefully not have it

inspected by any kind of content inspection,

and with that essentially to redirect the user to a fishing page.

Interesting technique and definitely very calmly used lately,

so if you want to look at the details of Xavier's analysis, take a look at the diary in the show notes.

And Google today published its June update for Android, and with that patched one vulnerability

that's apparently already being exploited, or, as Google puts it, maybe under limited targeted exploitation.

This is an elevation of privilege vulnerability in Framework.

One interesting observation here is last month in May, we only had sort of one listed

vulnerability, and this was the result of Google stating that they will no longer really explain

every single warnability they address, but only, well, those that they consider important

enough.

Now, all the vulnerabilities being listed today are critical or high, and we do have, well,

...