SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast) SANS Stormcast Thursday, October 9th, 2025: Polymorphic Python; ssh ProxyCommand Vuln;
Oct 9, 2025
Explore the world of self-modifying Python malware that eludes detection! Discover how a vulnerability in SSH's ProxyCommand could allow execution of arbitrary code when cloning Git repositories. Learn about the potential risks of this exploit and the necessary precautions to take. Additionally, uncover a concerning remote code execution vulnerability in Framelink's MCP server. Stay informed on the latest in cybersecurity risks and defenses!
AI Snips
Chapters
Transcript
Episode notes
Self-Modifying Python Evades Detection
- Polymorphic Python malware can modify its own code at runtime to evade detections.
- The sample used inspect and exec to inject decoded and random junk code so few AVs detected it.
VirusTotal Discovery Of A Polymorphic RAT
- Xavier found a polymorphic Python remote access tool on VirusTotal that rewrites functions at runtime.
- The RAT included keystroke logging, file exfiltration, and other typical remote access features.
SSH ProxyCommand Can Be Triggered Via Git
- SSH's ProxyCommand accepts arbitrary commands and can be abused if untrusted data reaches it.
- Git submodule URLs can inject control characters to trigger ProxyCommand execution during clone.