- CramHacks
- Posts
- CramHacks Chronicles #46: Weekly Cybersecurity Newsletter!
CramHacks Chronicles #46: Weekly Cybersecurity Newsletter!
Switzerland mandates software source code disclosure, Malicious NuGet Packages, Go Capability Analysis, Open Source Software Security
🥳 Happy Monday! 🥳
I took off work this past week while my mom and brothers were in town. Overall, I did a pretty good job at disconnecting from work, which led to some realizations about myself and what projects excite me.
I’ve added details to the bottom of this newsletter if you’re interested 🙂.
Nalu ~5 months old
Switzerland mandates software source code disclosure for public sector: A legal milestone
A new Swiss federal law stipulates that all public entities must disclose the source code of software developed by or for them unless precluded by third-party rights or security concerns.
EU publishes rollout schedule for AI Act
The EU's AI Act, now officially passed and set to be enforced from August 1st, mandates compliance with bans on high-risk AI uses by February 2nd, 2025, and outlines gradual compliance phases, including transparency requirements for developers and specific applications, with severe penalties for non-compliance.
Google Docs now supports Markdown import and export
👋 At least one reader is bound to be excited about this 🤣.
Malicious NuGet campaign uses homoglyphs and IL weaving to fool devs
ReversingLabs’ Karlo Zanki has released an update regarding a NuGet malware campaign that has been ongoing since August 2023. The malicious actors have grown to use more sophisticated techniques, including homoglyphs (letters that look identical to humans but not computers) and IL weaving (manipulating a compiled .NET application and injecting additional instructions).
👋 I can’t think of any reason why NuGet should be supporting homoglyphs 🤦♂️.
Trusty Dependency Risk Action: Automatically scan PRs for unsafe dependencies
Stacklock has released a GitHub Action, which integrates Trusty into your GitHub workflow, allowing you to automatically check the quality and safety of your dependencies on every pull request.
Bringing Capability Analysis for Go to deps.dev
Google’s deps.dev will now detail Capslock results for Go packages. Capslock identifies what capabilities a Go package has, such as the ability to read files or to send and receive data on the network.
👋 The article mentions that their analysis found that less than 2% of package version updates introduce a new capability requirement. I suspect those seeking to identify malicious Go packages will find this beneficial.
Auditing the Ask Astro LLM Q&A app
Trail of Bits finds four vulnerabilities in Ask Astro, a retrieval augmented generation (RAG) open-source chatbox application.
👋 I mainly wanted to feature this because I find it so flipping cool that Trail of Bits does these open source project assessments.
Upcoming Events
OWASP Orange County
On July 25th, I’ll be presenting Tackling vulnerabilities in third-party packages!
Semgrep: The Rules - An Interactive Rule Writing Session
On July 30th, the incredible Tanya Janca and I have two hours to discuss Semgrep rule writing, walk through real-world examples, and allow for Q&A. This is beginner + intermediate friendly! Feel free to embarrass me with hard questions.
Hacker Summer Camp
I'll be in Vegas August 5-9th; please reach out if you’d like to meet up! Or stop by the Semgrep booth at either BSides LV or BlackHat 🙂.
Areas of Interest
Vulnerabilities in GitHub Workflows
Adnan Khan and the numerous vulnerabilities he disclosed in projects’ GitHub workflows have piqued my interest. He’s actively working on Gato-X (GitHub Attack Toolkit - Extreme Edition), inspiring me to develop a similar toolkit for identifying open source security vulnerabilities at scale. I plan to open source this toolkit along with a write-up in the future.
Google’s OSS-Fuzz
The OSS-Fuzz project offers continuous fuzzing for open source software. While I’m a fan of the OpenSSF Scorecard project, they give a 10/10 score as long as it is known to be fuzzed. But frankly, not all projects should be fuzzed, and of those that are, how do we assess the quality of the fuzzer?
This led me to the Fuzzer introspection of OSS-Fuzz projects and, ultimately, the OSS-Fuzz Reward Program Rules. I’ve been brushing up on fuzzing principles and experimenting more with AFL++. I’m excited to learn more!
Until Next Time! 👋
Hey, you made it to the bottom – thanks for sticking around!
Questions, ideas, or want to chat? Slide into my inbox! 💌
Don’t hesitate to forward if someone could benefit from this.
See you next Monday!
-Kyle
P.S. CramHacks now has a Supporter tier! You can upgrade here to support CramHacks and its free weekly content 😃.