SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast) SANS Stormcast Wednesday, December 3rd, 2025: SmartTube Compromise; NPM Malware Prompt Injection Attempt; Angular XSS Vulnerability
4 snips
Dec 3, 2025 The compromise of the SmartTube Android app reveals how a developer's key was exploited, leading to the release of a malicious version. In another intriguing discussion, a rogue NPM package cleverly disguised itself through prompt injection to avoid detection, exfiltrating sensitive data for two years. Additionally, Angular addressed a critical stored XSS vulnerability linked to SVG and MathML, highlighting ongoing security challenges in web applications. Tune in for insights on the evolving landscape of cyber threats!
AI Snips
Chapters
Transcript
Episode notes
App Signing Key Compromise Led To Malicious Update
- Johannes Ulrich described SmartTube's developer key being compromised, letting an attacker publish a malicious Android TV app update.
- The developer chose to publish a new app signed with a new key instead of updating the old app to remove the malicious version.
Publish A New App When Keys Are Compromised
- Remove compromised builds and consider publishing a fresh app signed with a new key to restore trust and clean installs.
- Verify distribution protections like Google's and communicate investigation results once completed.
Prompt Injection Is Being Weaponized Against Scanners
- Attackers are experimenting with prompt-injection strings inside packages to try to confuse AI-powered scanners.
- Signature-based detection still dominates, so injection tricks are unnecessary and often counterproductive.