SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast) SANS Stormcast Tuesday, November 25th, 2025: URL Mapping and Authentication; SHA1-Hulud; Hacklore
Nov 25, 2025
Conflicts between URL mapping and access control could create serious security gaps. A new destructive worm called Sha1-Hulud is wreaking havoc on NPM and GitHub, stealing credentials and even deleting home directories. Meanwhile, Hacklore.org is tackling outdated security tips, with an open letter from former CISOs addressing common myths about public Wi-Fi and password changes. This dialogue highlights the critical need for updated security advice in a rapidly evolving digital landscape.
AI Snips
Chapters
Transcript
Episode notes
URL Mapping Can Undermine URL-Based Auth
- URL mapping can route many different request paths to the same backend script, hiding what actually executes.
- Johannes Ulrich warns this can break URL-based authentication and open protected functions to unauthenticated access.
Real Examples Of Mapping Bypasses
- Johannes Ulrich cites examples like Oracle Identity Manager and a Hitachi server where appending files bypassed auth.
- He describes how adding require.js allowed attackers to execute commands that should have required login.
Protect Repo Credentials Aggressively
- Monitor and protect build-system credentials and repository tokens to prevent automated spread.
- Johannes Ulrich highlights that Sha1-Hulud copies itself via stolen GitHub/NPM credentials and can delete home directories when creds are absent.