Author: anonymousmedia_tal70o

State leaders and environmental advocates responded with outrage after the Trump administration on Friday ordered the restarting of a California pipeline that caused one of the largest oil spills in the state’s history, a move that comes as oil prices have skyrocketed following President Donald Trump’s launching of an illegal war against Iran and Iran’s subsequent closure of the Strait of Hormuz.

After Trump issued an executive order on Friday authorizing the Department of Energy (DOE) to ramp up oil and gas development under the Defense Production Act, Energy Secretary Chris Wright ordered Sable Offshore Corp. to restart operations on the Santa Ynez Unit and Pipeline System, which include an offshore rig and a network of offshore and onshore pipelines along the Santa Barbara coast. Among them is a pipeline that ruptured in 2015, spilling around 450,000 gallons of oil into Refugio State Beach and killing hundreds of marine mammals and sea birds.

“Californians have repeatedly rejected dangerous drilling off our coast for decades,” Sen. Alex Padilla (D-Calif.) said in a statement on Saturday. “Now, after dragging the U.S. into a war with Iran and driving up oil prices, the Trump administration is trying to exploit this crisis to further enrich the oil industry at the expense of our communities and our environment.”

In his statement, Wright emphasized the defense benefits of resuming drilling, arguing that “today’s order will strengthen America’s oil supply and restore a pipeline system vital to our national security and defense, ensuring that West Coast military installations have the reliable energy critical to military readiness.”

The DOE added that “Sable’s facility can produce approximately 50,000 barrels of oil per day, a 15% increase to California’s in-state oil production, that can replace nearly 1.5 million barrels of foreign crude each month.”

Yet, far from a novel response to an unexpected emergency, the order is actually an escalation in a preexisting battle between California and the Trump administration over the future of the pipeline system. The state’s Attorney General Rob Bonta sued to stop the administration from a federal takeover of two of the pipelines in January.

Sable also faces several lawsuits due to its attempts to restart the system after it purchased it from ExxonMobil in 2024, and has not yet cleared all of the state permitting requirements, according to the Center for Biological Diversity.

“In its latest brazen abuse of power, the Trump administration is attempting to seize exclusive federal control over two of California’s onshore pipelines,” Bonta said on social media Friday evening. “We will not stand by as this administration continues their unlawful all-out assault on California and our coastlines, and we are reviewing all of our legal options.”

California Gov. Gavin Newsom also spoke out against Wright’s announcement.

“Trump knew his war with Iran would raise gas prices,” he wrote on social media. “Now he wants to illegally resurrect a pipeline shut down by courts and facing criminal charges. And it won’t even cut prices. I refuse to let Trump sacrifice Californians, our environment, or our $51 billion coastal economy.”

The Center for Biological Diversity noted that this order would mark the first time that the Defense Production Act was used to force an oil company to restart out-of-use Infrastructure and to disregard the state permitting process.

“This is a revolting power grab by an extremist president. Trump is misusing this Cold War-era law just to help a Texas oil company skirt vital state laws that protect our coastline, and Californians will pay the price,” Talia Nimmer, an attorney for the center, said. “Mandating a restart of these defective oil pipelines won’t curb high gas prices, but it will put coastal wildlife at huge risk of another oil spill. Overriding state law to let an oil company restart pipelines sets a radically dangerous precedent. It’s clear that no state is safe from Trump.”

The center also promised to push back against the order.

“Directing a private oil company to push its project through without safety checks and adherence to California laws that keep our coast safe is appalling and illegal,” Nimmer said. “We’re exploring all legal avenues. This dangerous action should be swiftly blocked by the courts.”

[This is a Guest Diary by Adam Thorman, an ISC intern as part of the SANS.edu BACS program]

Introduction

Have you ever installed a new device on your home or company router? Even when setup instructions are straightforward, end users often skip the step that matters most: changing default credentials. The excitement of deploying a new device frequently outweighs the discipline of securing it.

This diary explains a little real-world short story and then walks through my own internship observations overseeing a honeypot and vulnerability assessment that demonstrate just how quickly default credentials are discovered and abused.

Default Credentials in a Real-World Example

Default usernames and passwords remain the most exploited attack vector for Internet of Things (IoT) devices. Whether installation is performed by an end user or a contracted vendor, organizations must have a defined process to ensure credentials are changed immediately. Without that process, compromise is often a matter of when, not if.

During a routine vulnerability assessment at work, I identified multiple IP addresses that were accessible using default credentials. These IPs belonged to a newly installed security system monitoring sensitive material. The situation was worse than expected:

• The system was not placed on the proper VLAN
• Basic end user machines could reach it
• The username “root” remained unchanged and password “password” was changed to “admin”

This configuration was still trivial to guess and exploit, regardless of whether access was internal or external. From my point of view, it was easily guessed and accessed, like Figure 1 below. 

Figure 1 – Meme of Easily Bypassed Security Controls

What Logs Showed?

To better understand how common this issue is, I analyzed SSH and Telnet traffic across an eight-day period (January 18–25) and compared it with more recent data. This ties into the story above based on how many devices are kept with their default settings or slightly changed with common trivial combinations. These graphs were pulled from the Internet Storm Center (ISC) My SSH Reports page [2], while the comparison was generated with ChatGPT tool.

JANUARY 27TH, 2026

FEBRUARY 17TH, 2026

COMPARISON

Across both datasets:

• The username “root” remained dominant at ~39%
• The password “123456” increased from 15% to 27%
• These combinations strongly resembled automated botnet scanning behavior

This aligns with publicly known credential lists that attackers use for large scale reconnaissance.

Successful Connections

During the analysis window, I observed:

• 44,269 failed connection attempts
• 1,286 successful logins
• A success rate of only 2.9%

That percentage may appear low, but it still resulted in over a thousand compromised sessions.

To perform this analysis, I parsed Cowrie JSON logs using jq, converted them to CSV files, and consolidated them into a single spreadsheet.

From the 1,286 successful connections:

• 621 used the username root
• 154 used admin as the password
• 406 shared the same HASSH fingerprint 2ec37a7cc8daf20b10e1ad6221061ca5
• 47 sessions matched all three indicators

The matched session to that hash is shown in APPENDIX A.

What Attackers did After Logging in?

Four session IDs stood out during review of the full report:

1. eee64da853a9

2. f62aa78aca0b

3. 308d24ec1d36

4. f0bc9f078bdd

Sessions 1 and 4 focused on reconnaissance, executing commands to gather system details such as CPU, uptime, architecture, and GPU information.

With the use of ChatGPT [3], I was able to compare each session and the commands the attacker attempted to use.  It was disclosed that Sessions 1 and 4 had reconnaissance from the topmost digital fingerprint HASSH.  They both had the same command but with different timestamps. Refer to APPENDIX B for Session ID 1 and 2 command outputs.

Sessions 2 and 3 demonstrated more advanced behavior:

• SSH key persistence
• Credential manipulation
• Attempts to modify account passwords

Session 308d24ec1d36 ranked as the most severe due to attempted password changes and persistence mechanisms that could have resulted in long term control if it was attempted on a real-world medium. Refer to APPENDIX C for Session ID 2 and 3 command outputs.

Failed Attempts Tell a Bigger Story

Failed authentication attempts revealed even more.

One digital fingerprint alone accounted for 18,846 failed attempts, strongly suggesting botnet driven scanning activity.

On January 19, 2026, there were 14,057 failed attempts in a single day — a significant spike compared to surrounding dates.

From a Security Operations Center (SOC) analyst’s perspective, this level of activity represents a serious exposure risk.  It could mean a botnet scanning campaign like the one observed by GreyNoise in late August 2025 [4]. 

Below is a visual of the top usernames, passwords, and hashes across the analyzed timeframe.

Figure 2 – Top Usernames, Passwords, and Digital Fingerprints

To note in comparison to the other days, where it’s not even half of 14k, Figure 3 below dictates the spread. 



Figure 3 – Failed Connection Attempts Over Time

Best Practices to Follow Towards Resolving Default Credentials

The SANS Cybersecurity Policy Template for Password Construction Standard states that it “applies to all passwords including but not limited to user-level accounts, system-level accounts, web accounts, e-mail accounts, screen saver protection, voicemail, and local router logins.” More specially, the document also states that “strong passwords that are long, the more characters a password has the stronger it is,” and they “recommend a minimum of 16 characters in all work-related passwords [6].”

Establish an immediate policy to change the default password of IoT devices, such an example is a network printer that is shipped with default usernames and passwords [7].

Practical Experience Without the Real-World Disaster

Having access to a controlled sandbox environment, such as a honeypot lab, provides valuable hands-on experience for cybersecurity practitioners.

Sometimes you may need to deal with and see the real-world disaster in a controlled environment to deal with it and see the ripple effect it may produce. 

Why Might this Apply to you?

MITRE ATT&CK explicitly documents adversary use of manufacturers set default credentials on control systems. They stress that it must be changed as soon as possible.

This isn’t just an enterprise issue. The same risks apply to:

• Home routers
• Networked cameras
• Printers
• NAS devices

For hiring managers, even job postings that disclose specific infrastructure details can unintentionally assist attackers searching for default credentials.

Ultimately, it’s important to deliberately implement data security measures to protect yourself from data breaches at your home or workplace. 

Who Can Gain Valuable Insight on this Information?

Anyone with an internet or digital fingerprint. More specifically, organization leadership and management, when it comes to training your workforce and training your replacements.

A client-tech department, where a team is dedicated to testing the software or devices on the network, to include validating the version of it through a patching management tool, or reference library to know when versions are outdated. Routine “unauthorized” or “prohibited” software reports is an absolute must have in your workplace.

System administrators and SOC analysts are essential to not just know it, but to maintain it. To continue the trend, Cybersecurity students or Professionals such as Red vs. Blue teams [5] for example will gain significant value in this information.

Moving Forward Even with Good Defense

Defense in depth remains critical:

• Strong, unique credentials
• Multi factor authentication where possible [7]
• Device fingerprinting
• Continuous monitoring

SANS also encourage to utilize passphrases, passwords made up of multiple words. [6]

A common saying in Cybersecurity is, “the more secure the data is, the less convenient the data is—the less secure, the more convenient.” 

Organizations should also maintain a Business Impact Analysis (BIA) within their cybersecurity program. Even with strong defensive measures, organizations must assume that some security controls may eventually fail. A Business Impact Analysis (BIA) helps organizations prioritize which assets require the strongest protection by identifying critical, operational dependencies, and acceptable downtime thresholds.

Tying it all together.  This recommendation to combined with a defense-in-depth strategy, the BIA ensures that the most important systems receive multiple layers of protection such as network segmentation, strong authentication controls, continuous monitoring, and incident response planning. Without this structured approach, organizations may struggle to recover from a compromise or minimize operational disruption.

Figure 4 – Examples of Enterprise Business Asset Types [9]

Appendix A – Log Sample

[1] https://www.sans.edu/cyber-security-programs/bachelors-degree/ 

[2] https://isc.sans.edu/mysshreports/

[3] https://chatgpt.com/

[4] https://eclypsium.com/blog/cisco-asa-scanning-surge-cyberattack/

[5] https://www.techtarget.com/searchsecurity/tip/Red-team-vs-blue-team-vs-purple-team-Whats-the-difference

[6] https://www.sans.org/information-security-policy/password-construction-standard

[7] https://owasp.org/www-project-top-10-infrastructure-security-risks/docs/2024/ISR07_2024-Insecure_Authentication_Methods_and_Default_Credentials

[8] https://attack.mitre.org/techniques/T0812/

[9] https://csrc.nist.gov/pubs/ir/8286/d/upd1/final (PDF: Using Business Impact Analysis to Inform Risk Prioritization)

———–

Guy Bruneau IPSS Inc.

My GitHub Page

Twitter: GuyBruneau

gbruneau at isc dot sans dot edu

Cybersecurity researchers have flagged a new iteration of the GlassWorm campaign that they say represents a “significant escalation” in how it propagates through the Open VSX registry.

“Instead of requiring every malicious listing to embed the loader directly, the threat actor is now abusing extensionPack and extensionDependencies to turn initially standalone-looking extensions into transitive delivery vehicles in later updates, allowing a benign-appearing package to begin pulling a separate GlassWorm-linked extension only after trust has already been established,” Socket said in a report published Friday.

The software supply chain security company said it discovered at least 72 additional malicious Open VSX extensions since January 31, 2026, targeting developers. These extensions mimic widely used developer utilities, including linters and formatters, code runners, and tools for artificial intelligence (AI)-powered coding assistants like Clade Code and Google Antigravity.

The names of some of the extensions are listed below. Open VSX has since taken steps to remove them from the registry –

• angular-studio.ng-angular-extension
• crotoapp.vscode-xml-extension
• gvotcha.claude-code-extension
• mswincx.antigravity-cockpit
• tamokill12.foundry-pdf-extension
• turbobase.sql-turbo-tool
• vce-brendan-studio-eich.js-debuger-vscode

GlassWorm is the name given to an ongoing malware campaign that has repeatedly infiltrated Microsoft Visual Studio Marketplace and Open VSX with malicious extensions designed to steal secrets and drain cryptocurrency wallets, and abuse infected systems as proxies for other criminal activities.

Although the activity was first flagged by Koi Security in October 2025, npm packages using the same tactics – particularly the use of invisible Unicode characters to hide malicious code – were identified as far back as March 2025.

The latest iteration retains many of the hallmarks associated with GlassWorm: running checks to avoid infecting systems with a Russian locale and using Solana transactions as a dead drop resolver to fetch the command-and-control (C2) server for improved resilience.

But the new set of extensions also features heavier obfuscation and rotates Solana wallets to evade detection, as well as abuses extension relationships to deploy the malicious payloads, similar to how npm packages rely on rogue dependencies to fly under the radar. Regardless of whether an extension is declared as “extensionPack” or “extensionDependencies” in the extension’s “package.json” file, the editor proceeds to install every other extension listed in it.

In doing so, the GlassWorm campaign uses one extension as an installer for another extension that’s malicious. This also opens up new supply chain attack scenarios as an attacker first uploads a completely harmless VS Code extension to the marketplace to bypass review, after which it’s updated to list a GlassWorm-linked package as a dependency.

“As a result, an extension that looked non-transitive and comparatively benign at initial publication can later become a transitive GlassWorm delivery vehicle without any change to its apparent purpose,” Socket said.

In a concurrent advisory, Aikido attributed the GlassWorm threat actor to a mass campaign that’s spreading across open-source repositories, with the attackers injecting various repositories with invisible Unicode characters to encode a payload. While the content isn’t visible when loaded into code editors and terminals, it decodes to a loader that’s responsible for fetching and executing a second-stage script to steal tokens, credentials, and secrets.

No less than 151 GitHub repositories are estimated to have been affected as part of the campaign between March 3 and March 9, 2026. In addition, the same Unicode technique has been deployed in two different npm packages, indicating a coordinated, multi-platform push –

• @aifabrix/miso-client
• @iflow-mcp/watercrawl-watercrawl-mcp

“The malicious injections don’t arrive in obviously suspicious commits,” security researcher Ilyas Makari said. “The surrounding changes are realistic: documentation tweaks, version bumps, small refactors, and bug fixes that are stylistically consistent with each target project. This level of project-specific tailoring strongly suggests the attackers are using large language models to generate convincing cover commits.”

PhantomRaven or Research Experiment?

The development comes as Endor Labs said it discovered 88 new malicious npm packages uploaded in three waves between November 2025 and February 2026 via 50 disposable accounts. The packages come with functionality to steal sensitive information from the compromised machine, including environment variables, CI/CD tokens, and system metadata.

The activity stands out for the use of Remote Dynamic Dependencies (RDD), where the “package.json” metadata file specifies a dependency at a custom HTTP URL, thereby allowing the operators to modify the malicious code on the fly, as well as bypass inspection.

While the packages were initially identified as part of the PhantomRaven campaign, the application security company noted in an update that they were produced by a security researcher as part of a legitimate experiment – a claim it challenged, citing three red flags. This includes the fact that the libraries collect far more information than necessary, provide no transparency to the user, and are published by deliberately rotated account names and email addresses.

As of March 12, 2026, the owner of the packages has made additional changes, swapping out the data harvesting payload delivered via some of the npm packages published over the three-month period with a simple “Hello, world!” Message.

“While the removal of code that collected extensive information is certainly welcome, it also highlights the risks associated with URL dependencies,” Endor Labs said. “When packages rely on code hosted outside the npm registry, authors retain full control over the payload without publishing a new package version. By modifying a single file on the server – or simply shutting it down – they can silently change or disable the behavior of every dependent package at once.”