SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast) SANS Stormcast Tuesday, November 18th, 2025: Binary Expression Decoding. Tea NPM Pollution; IBM AIX NIMSH Vulnerability
Nov 18, 2025
Explore the fascinating world of binary expression decoding where arithmetic operations are now simplified with a new hex script. Discover the alarming NPM pollution incident, with 150,000 spammy submissions aimed at tricking the system for a new tea token. Lastly, learn about critical vulnerabilities patched in IBM AIX's NIMSH daemon, including a serious remote code execution threat. Tune in for a blend of tech insights and cybersecurity updates!
AI Snips
Chapters
Transcript
Episode notes
Resolve Arithmetic Before Hex Decoding
- Didier extended a numbers-to-hex script to resolve simple arithmetic expressions before converting to hex.
- This lets analysts decode obfuscated scripts that embed expressions like "79 plus 1" into payloads.
Formbook Example Triggered Script Update
- Xavier found a Formbook example using arithmetic expressions inside numeric obfuscation that broke simpler decoders.
- Didier adapted his script specifically to handle those real-world obfuscation variants.
Actively Monitor And Remove Token-Farming Packages
- Monitor package registries for mass, low-quality submissions that may game reward systems.
- Remove or block detected token-farming packages before they pollute contribution metrics.