CramHacks Chronicles #44: Weekly Cybersecurity Newsletter!

🥳 Happy Monday! 🥳

I hope all who celebrate had a great 4th of July! Nalu (puppy) did incredibly well with the fireworks; we even took her to the bay to watch them. She didn’t react at all 🙌.

Only one month until Hacker Summer Camp! I hope to see many of you there.

Table of Contents

• General News

• Malware / Exploits

• Open Source

• Vulnerability Management

• Until Next Time! 👋

General News

BSides SF Talk Recordings
More than 60 talks packed with great content have been published.

CocoaPods vulnerabilities highlight risks in dependency managers
👋 This was covered last week, but it bothered me so much that I wrote a blog highlighting the importance of securing dependency managers.

ChatGPT for Mac was storing all conversations in an unprotected location
Pedro José Pereira Vieito recognized that the OpenAI ChatGPT for Mac app was storing user conversations in plain text in a non-protected location. Therefore, any other apps or malware running on the system could potentially access these conversations.

👋 Following an update this week, these conversations are now encrypted but are still not being sandboxed.

Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Reporting Requirements
I appreciate CISA's attempt to define “supply chain incident” and “supply chain.” But I still have difficulty seeing how this definition doesn’t logically cover nearly all cyber incidents.

Supply Chain Incident: “A cyber incident within the supply chain of an information system that an adversary can leverage, or does leverage, to jeopardize the confidentiality, integrity, or availability of the information system or the information the system processes, stores, or transmits, and can occur at any point during the life cycle.”

NIST defines an information system as: “A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.”

This suggests that an information system is just a compilation of things. The average cyber incident will not compromise the entire system but a component like an application or running service - which then often gives access to the entirety of it.

Malware / Exploits

Attacking & Defending Supply Chains: How we got Admin in your Cloud, Again
Rippling’s Mike Ruth details an attack vector your organization is likely vulnerable to. The piece that caught my attention was how, by default, GitHub organization secrets are available to all repositories - and most organizations allow all users to create new repositories. Therefore, users can abuse workflows in their repository to abuse organization secrets + more 🤔.

👋 I wanted to highlight this one from the BSides SF recordings. CI/CD attacks are on the rise, and we need more people talking about these risks & mitigations.

Polyfill[.]io Attack Impacts Over 380,000 Hosts, Including Major Companies
👋 This was covered in a previous Cramhacks newsletter but was reported to impact 100,000 websites then. As of this week, reports are saying almost 4x that!

Australian Man Charged for Fake Wi-Fi Scam on Domestic Flights
🤦 If convicted, he faces up to 23 years in prison. Many of us in the security space have toyed with malicious access points, perhaps to mess with friends, but come on… not on an airplane.

Threat actor is allegedly selling a critical NPM account takeover vulnerability
👋 I’m watching this, but there hasn’t been any evidence yet. The BreachForums user is accepting bids for the details.

Open Source

pnpm 9.5 Introduces Catalogs: Shareable Dependency Version Specifiers
pnpm 9.5 debuts Catalogs, a feature that allows for shared dependency version specifiers, minimizes merge conflicts, and improves monorepo support.

Secure your Github repositories with Bullfrog Security
Github Action for securing your GitHub workflows using egress policies

👋See my previous notes above about CI/CD attacks 📈. This easy-to-use open-source GitHub Action gives you control over which IPs or domains your workflows can make outbound connections with. For a commercial solution offering this capability and more, check out StepSecurity.

Secure Software Development Education 2024 Survey
The Linux Foundation has released its latest survey, which consists of data from almost 400 respondents.

👋 56% of respondents see supply chain security as a crucial area needing increased focus and innovation.

Vulnerability Management

ReversingLabs: Spectra Assure Community
👋 I’ve been a fan of ReversingLabs’ malware research for a while. Their Threat Research team was the first to report over 3,000 packages as malicious. I plan to use this platform as another reference moving forward. For the record, my other go-to sources are deps.dev and socket.dev.

Chainguard Enhances Security With OSV Advisory Feed
Anyone releasing security advisories in the open-source space should use the OSV schema. You can now query chainguard security advisory data on osv.dev.

Until Next Time! 👋 

Hey, you made it to the bottom – thanks for sticking around!

Questions, ideas, or want to chat? Slide into my inbox! 💌

Don’t hesitate to forward if someone could benefit from this.

See you next Monday!
-Kyle

P.S. CramHacks now has a Supporter tier! You can upgrade here to support CramHacks and its free weekly content 😃.