SANS Stormcast Wednesday, July 16th, 2025: ADS Keystroke Logger; Fake Homebrew; Broadcom Altiris RCE; Malicious Cursor AI Extensions

Keylogger Data Stored in an ADS
Xavier came across a keystroke logger that stores data in alternate data streams. The data includes keystroke logs as well as clipboard data
https://isc.sans.edu/diary/Keylogger%20Data%20Stored%20in%20an%20ADS/32108
Malvertising Homebrew
An attacker has been attempting to trick users into installing a malicious version of Homebrew. The fake software is advertised via paid Google ads and directs users to the attacker s GitHub repo.
https://medium.com/deriv-tech/brewing-trouble-dissecting-a-macos-malware-campaign-90c2c24de5dc
CVE-2025-5333: Remote Code Execution in Broadcom Altiris IRM
LRQA have discovered a critical unauthenticated remote code execution (RCE) vulnerability in the Broadcom Symantec Altiris Inventory Rule Management (IRM) component of Symantec Endpoint Management.
https://www.lrqa.com/en/cyber-labs/remote-code-execution-in-broadcom-altiris-irm/
Code highlighting with Cursor AI for $500,000
A syntax highlighting extension for Cursor AI was used to compromise a developer s workstation and steal $500,000 in cryptocurrency.
https://securelist.com/open-source-package-for-cursor-ai-turned-into-a-crypto-heist/116908/