Software Security by CramHacks
Whether shaping strategy or crafting code, CramHacks keeps you informed.
Connect
The AI race has created a cesspool of third-party packages
Explore the public availability of affected functions for OSS vulnerabilities and why vendors are spending millions to build private datasets.
How the industry is mitigating the risks of abusing lifecycle scripts, stolen credentials, and fake reputations!
98% of PyMySQL forks are vulnerable to SQL Injection
A global overview of vulnerability databases and disclosure practices
Exposing Common Misconceptions about CVEs, NVD, KEV Catalog, and EPSS
MCP Context Protector, Provenance Signing & Verification for Model Hubs, Cursor's Questionable Denylist, CodeQL Support for Rust, CISA SBOM Community Closes Doors
G-Suite Prompt Injections, compromised npm maintainer, crates.io announces trusted publishing, Google's OSS-Rebuild project, container isolation
What $270,000 of bug hunting open source gets you, Post-quantum cryptographic scanner pqscan, mcp-remote RCE, North Korean malicious npm packages
GitHub Immutable Releases, Deptective, Cloudflare monetizing web crawling, historic data on software supply chain attacks, Belgium is unsafe for CVD
Compromising the extension store used by Cursor & Windsurf, GitHub Advisory DB insights, leveraging GitHub Events to expose secrets, OpenSSF Japan
Google Donates A2A, GH Attestation OPA Gatekeeper Support, Malicious Transitive Dependencies, Kingfisher Secret Detection, Edara & Container Security
Docker Hub webhook security, libxml2's bug management, GerriScary's Google vulnerability, Netflix's dependency confusion, and CVE scoring
Apple Containerization, No output from your MCP server is safe, GitHub Release Assets now have digests, 16+ npm packages compromised from leaked secrets
Trusted Publishing for NPM, Likely Exploited Vulnerabilities (LEV), Correctness of SBOM Generation, Scalable Dynamic Malware Analysis for packages
US Government Launches Audit of NIST’s National Vulnerability Database, CycloneDX Abandons bug bounty program funded by Sovereign Tech Fund, build & deployment security
Product Updates: Chainguard, Docker, Wiz, Aikido, & Socket, GitHub Action Scanners, threat hunting with public event logs, MCP Security Checklist
Exploring npm vulnerabilities, Kyverno introduces ImageValidatingPolicy, XBOW reaches Highest Rank on HackerOne Leaderboard, Ubuntu adopts sudo-rs, LlamaFirewall
