• CramHacks
  • Posts
  • CramHacks Chronicles #53: Weekly Cybersecurity Newsletter!

CramHacks Chronicles #53: Weekly Cybersecurity Newsletter!

2024 Open Source Maintainer Report, Java fuzz harness synthesis using LLMs, Hijacking deleted packages, AI Crisis, and more!

Author

Kyle Kelly
September 18, 2024

We’re back! After a two-week vacation, I’m excited to share that I’m engaged💍🥂!!

This was the first time in my career that I took two weeks off without interruptions. Frankly, I did not believe it was possible. Anyone who knows me likely didn’t think I could go two weeks without working. Yet here I am!

TODAY AT 10 AM PT

Secure Open Source Dependencies with Semgrep Supply Chain

Dependencies and open source code comprise a large amount of an organization's underlying code base. Management and monitoring of that codebase can already be taxing on developers; having a large set of false positive vulnerabilities can be a full sink of developer resources.

semgrep.dev/events/secure-open-source-dependencies-with-semgrep-supply-chain

Newsletter

Scalable techniques for risk assessment of open-source libraries
Nirvi Badyal’s master's thesis is a work of art for anyone interested in the ins and outs of reachability analysis.

👋 For those unaware, I’ve been working on Semgrep’s reachability analysis capabilities for the supply chain product for almost two years. This thesis does a fantastic job covering relatively niche learnings, many of which took me months to uncover first-hand. And I didn’t have this quality data to support my theories; kudos 🙂 🙏 .

Urgent: GitLab Patches Critical Flaw Allowing Unauthorized Pipeline Job Execution
CVE-2024-6678, assigned a CVSS score of 9.9 (out of 10), reportedly enables an attacker to trigger a pipeline as an arbitrary user under certain circumstances. Be sure to patch if you’re running a self-managed instance!

OSS-Fuzz - Introducing Java fuzz harness synthesis using LLMs
The latest blog (#3) details the team's challenges while building Java-specific capabilities into the OSS-Fuzz-Gen workflow. For those less familiar, this project aims to automate the fuzzing process for open-source software.

👋 Are you interested in seeing what this looks like?  Here’s a link to the prompt and its generated harness! I’m very excited about this project.

Simplify SBOM Management for Developers: Introducing Bomctl
OpenSSF has announced a new sandbox project, bomctl, to help users work more easily with SBOM documents. The project offers a cli to fetch and store SBOM documents with plans to provide capabilities like merging, redacting, splitting, and enriching component dependency trees.

👋 The project builds on the OpenSSF’s protobom (a universal SBOM representation).

Watch the Typo: Our PoC Exploit for Typosquatting in GitHub Actions
As a proof-of-concept, the Orca Research Pod created 14 organizations with names that could be typos of popular GitHub actions. The most successful was ‘actons’, which had four public repositories referencing it (before it existed), which grew to 12 within two months. The action deployed was safe but could easily embed malware, leak secrets, etc.

👋 It’s important to note that the results are only for public repositories. When you account for private repositories, there are likely more than 12 potential victims.

The 2024 Tidelift State of the Open Source Maintainer Report
Tidelift’s sixth annual open source maintainer report. The results contain data from 437 respondents who maintain at least one open-source project.

  • 60% of maintainers are not paid for their work

  • 82% of paid maintainers spend >20 hours maintaining their projects versus only 8% of unpaid maintainers

  • Maintainers report spending 11% of their time on security work (a roughly 300% increase compared to the 2021 report)

  • 64% of professional maintainers prioritize remediating vulnerabilities versus only 36% for semi-professional maintainers.

  • 45% of maintainers think AI-based coding tools will hurt their projects.

👋 Of course, there is ample confirmation that paid maintainers are more willing to deploy new features, spend more time on security, etc.

Revival Hijack – PyPI hijack technique exploited in the wild, puts 22K packages at risk
JFrog researchers Andrey Polkovnichenko and Brian Moussalli coined “Revival Hijack,” an attack vector that abuses how PyPI allows maintainers to reuse package names of previously deleted packages. As a proof-of-concept, the researchers registered new packages for 78 previously deleted ones. Within three months, they totaled over 200,000 downloads.

👋 There are mitigating controls here, both by PyPI and available for end users (e.g., via pip). However, this is undoubtedly a vector that can lead to people getting compromised.

The Subprime AI Crisis
If you’re interested in AI, this blog was a fun, albeit lengthy, thought exercise. AI is a massive money pit; what are the potential implications? Given that nearly every tech company is investing in AI to some degree, how does that impact the rest of the organizations? Was your annual raise less than expected? Did your company spend millions to recruit AI engineers?

Also, how does a company like OpenAI or Anthropic win long-term? I fail to see the substantial data moat. Hence, I’m much more bullish about local models and on-device services like Apple Intelligence.

Until Next Time! 👋

Hey, you made it to the bottom – thanks for sticking around!

Questions, ideas, or want to chat? Slide into my inbox! 💌

Don’t hesitate to forward if someone could benefit from this.

See you next Monday!
-Kyle

P.S. CramHacks has a Supporter tier! You can upgrade here to support CramHacks and its free weekly content 😃.