Hello and welcome to the Tuesday, November 18th, 2025
edition of the SANS Internet Storm Center's Stormcast. My
name is Johannes Ullrich, recording today from
Jacksonville, Florida. And this episode is brought to you
by the SANS.edu Graduate Certificate Program in
Penetration Testing and Ethical Hacking. In Diaries
today we got an update from Didier to his numbers to hex
script. The script as it existed so far, we just
scanned input for decimal numbers and then converted
them to hex. This was useful to de-obfuscate some scripts
that basically use like these sort of char functions and
such to decode decimal numbers into strings. Well, last week
we had a post by Xavier who looked at a formbook example
that used a similar obfuscation trick. But instead
of just having simple numbers, well, there were some
arithmetic expressions included as well in this
particular file. Now, Didier updated his script in order to
deal with these, as he calls them, binary expressions, so
they're not the binary number system instead or base two.
Instead, they are just arithmetic expressions with
two components, like in this example, 79 plus one or 80
plus seven. So the new version of numbers to hex will now
first resolve these simple arithmetic expressions and
then decode the numbers to hex. And then you can feed
them to additional scripts like to convert the hex into
ASCII characters, for example, in order to, as in this case,
decode some PowerShell script. So real handy if you have to
do a lot of these decoding tasks and such to have these
scripts around. One story that really doesn't go away is
attacks against the NPM ecosystem. The latest attack
is, well, at first not really all that severe, but shows yet
another problem with this ecosystem. And that's that
Amazon found 150,000 packages being published to NPM with
pretty much no functionality. Now, these were not malicious
in the sense that they contained malware or stole
credentials like some of the packages we had in the past.
Instead, they really just tried to mine a new
cryptocurrency, T. The idea behind this T token is at
first kind of neat in the sense that it tries to reward
people for open source contributions. But apparently
they are not actually checking the quality of these
contributions. So what the attacker tried to do here is
by publishing 150,000 packages with their T token information
as part of these packages. They basically tried to get
credit for all of these contributions. But actually,
all they did was cause harm, pollute the NPM ecosystem even
more than it's now. And Amazon, with its inspector
tool, was luckily able to identify some of these
packages and have them removed. And then we got a
number of critical vulnerabilities for IBM AIX
users. These vulnerabilities affect NIMSH, the network
installation manager. And this particular tool has had
vulnerabilities like this in the past. But one of the
vulnerabilities here does reach up to a perfect CFS
score of 10. And some of the others also are like in the
nines with essentially arbitrary remote code
execution capabilities. NIMSH or NIM is really meant sort of
for remote code execution. Supposed to be a little bit
better replacement for RSH. It does offer TLS, but it's not
really replacing SSH. That's probably what should really be
used here. But it's part sort of of that IBM AIX ecosystem.
And as such, pretty popular and often exposed, usually on
port 3901 and 3902. Well, and that's it for today. Thanks
for listening. Thanks for liking. Thanks for
subscribing. And talk to you again tomorrow. Bye.
Bye. Bye. Bye. Thank you.
