• CramHacks
  • Posts
  • [CramHacks] Newsletter #17: Trolling NPM and the headaches that followed

[CramHacks] Newsletter #17: Trolling NPM and the headaches that followed

CramHacks Chronicles: Key Insights On Software Supply Chain Risks

šŸ„³ Happy Monday! šŸ„³

Software Supply Chain Security

šŸ‘‹ Wanted to give a shoutout to Patrick, a Security Researcher at Nucleus Security, who puts together these incredible visualizations. Not only are they appealing to look at, but they get valuable messages across.

For example, I recently researched CISAā€™s Known Exploited Vulnerabilities catalog. I noticed that the list is almost entirely useless in the world of open-source supply chain security. This visualization showing what vendors are responsible for the vulnerable products makes this much more apparent. This also explains why the term ā€˜Microsoftā€™ immediately bumps vulnerabilities Exploit Prediction Scoring System (EPSS) score.

A group of developers published an npm package, everything, which, when installed via npm, causes denial of service because, wellā€¦ every single npm package is listed as a dependency.

Whatā€™s extra funny is that you canā€™t delete a package from npm if another package depends on it. Therefore, npm package owners everywhere cannot remove their packages from npm. The cherry on top is that this includes the packages created for this troll.

šŸ‘‹ While this isnā€™t the first time, I can appreciate a good troll, especially when it highlights a real issue in how package managers evaluate (or donā€™t) packages before offering them to users.

Eric Smalling, Senior Developer Advocate @ Snyk, has published a 30-minute video about the risks associated with container security and how Snyk can help identify & remediate these vulnerabilities.

Dan Lorenc, Founder/CEO of Chainguard, stirs some exciting discussion around the state of supply chains for AI toolkits:

ā€œmost links lead to just random forum dumps with platform-specific 300+MB Python wheel downloads that are maintained by just a few folks that ā€˜got it working onceā€™ and shared it. This space feels like weā€™ve gone back more than a few years in overall supply chain security.ā€

šŸ‘‹ I canā€™t make this up; I also spent much of my break investigating supply chain security in AI. My announcement was scheduled to be posted 30 minutes after Danā€™s LinkedIn post šŸ˜†. Some great points are made here; if you find this interesting, watch my blog post! ā€˜

Also, if the Snyk container security video piqued your interest, look at Chainguardā€™s minimal, hardened images.

šŸ‘‹ This is a W.

Until Next Time! šŸ‘‹ 

Hey, you made it to the bottom ā€“ thanks for sticking around!

Questions, ideas, or want to chat? Slide into my inbox! šŸ’Œ

Donā€™t hesitate to forward if someone could benefit from this.

See you next Monday!
-Kyle