CramHacks Chronicles #58: Weekly Cybersecurity Newsletter!

Hello! I hope you’re having a great week 🙂.

Based on last week’s newsletter insights, you all seem to prefer the old format — with the full-length summaries in the email. I’ll go back to doing that!

Semgrep is hosting a challenge!
Try Semgrep Supply Chain’s reachability analysis feature to have a chance of winning AirPods Max. Unfamiliar with the tool? Check out the video Secure Open Source Dependencies with Semgrep Supply Chain.

Newsletter

Did Automattic commit open source theft?
Automattic, the creator of the open source WordPress CMS, is at war with WP Engine (yes, WordPress and WP Engine are two different companies). WP Engine created the world’s most popular WordPress Plugin, Advanced Custom Fields (ACF), and Automattic recently forked the plugin and replaced its version with WP Engine’s within the plugin directory—migrating 2M+ customers onto Automattic’s forked version, called Secure Custom Fields.

👋 There’s a lot more to this situation, but in my opinion, everything points to Automattic being out of their mind.

CVE Program Celebrates 25 Years of Impact!
🥳 Happy Birthday! For better or worse, you’ve made it another year. It’s just a joke!

Finding Vulnerability Variants at Scale
Franco Belman (@0xFBFBFBFB) details how fuzzing jpeg-recompress uncovered two vulnerabilities. Thanks to CodeQL, SourceGraph, BigQuery, and the GitHub API, Franco discovered 30+ affected projects.

What is the offensive security “Holy Trinity”?
Paul McCarty shares the synergy of penetration testing, bug bounty research, and red teaming.

👋 I appreciate that the article distinguishes between those looking to secure vs those looking to tick the checkbox.

China cyber pros say Intel is installing CPU backdoors on behalf of NSA
UK-based writer Benedict Collins covers China accusing Intel of installing CPU backdoors on behalf of the NSA. This comes only days after Benedict published an article regarding China accusing the CIA of being the Volt Typhoon hacking group.

👋 Disclaimer: I don’t believe everything I read online, nor should you. But that doesn’t mean it’s not true 🤷‍♂️.

OSV's approach to data quality
Andrew Pollock and Charl de Nysschen share details regarding the OSV Data Quality Program, which aims to address issues such as identifying issues with published records, ensuring schema compliance, and best practice tooling for generating OSV records.

CISA: Product Security Bad Practices
CISA with the 🌶️ take, “Development in Memory Unsafe Languages.” 👀. But with a very sensible expectation for open source software vulnerabilities, “Presence of Open Source Software with Known Exploitable Vulnerabilities.”

Hacking for €10k rewards and a secure open source ecosystem
The Sovereign Tech Fund is now operating seven Bug Bounty Programs for open source projects, paying out up to €10,000 for critical, €5,000 for high, €3,000 for medium, and €500 for low-severity issues.

Until Next Time! 👋

Hey, you made it to the bottom – thanks for sticking around!

Questions, ideas, or want to chat? Slide into my inbox! 💌

Don’t hesitate to forward if someone could benefit from this.

See you next Monday!
-Kyle

P.S. CramHacks has a Supporter tier! You can upgrade here to support CramHacks and its free weekly content 😃.