CramHacks Chronicles #60: Weekly Cybersecurity Newsletter!

Hello! I hope you’re having a great week thus far 🙂.

This week, it occurred to me how much the software supply chain security industry has grown since starting CramHacks. My initial blogs were designed to inspire people to care about this problem, and now it’s commonly at the top of people's minds.

The challenges will only get more difficult as we progress, but I’m excited for what’s to come.

Newsletter

Enhancing Node.js Security: Highlights from the Recent Audit
The OpenJS Foundation, OSTIF, and the Sovereign Tech Fund have partnered to have Ada Logics perform a security audit of Node.js. In addition to the existing suite, 48 new fuzzers were introduced, identifying four new security findings. Full audit report here.

👋 I’m still relatively new to the fuzzing world, especially regarding OSS-Fuzz, but Ada Logics’ David Korczynski & Adam Korczynski are routinely blowing my mind. Their contributions to OSS-Fuzz are undoubtedly appreciated 🙏.

OpenSSF Scorecard for .NET and the NuGet ecosystem
The Microsoft team highlights the latest OpenSSF Scorecard feature, which checks for pinned dependencies when restoring packages using a lock file. The article also analyzes over 1,000 C# and F# repositories with over 1,500 stars on GitHub.

👋 Microsoft is strongly encouraging folks to start using lock files and Central Package Management for the .NET ecosystem. I’m a supporter, especially now that Microsoft has modernized and made appropriate tooling available.

Introducing the vlt Package Manager & Serverless Registry
Vlt is a drop-in replacement for your existing JavaScript package manager promising to “support developers as they create, run, distribute, discover, and secure their packages & project’s dependencies.”

👋 I’m very excited to try this out and follow their progress. The Vlt team is wildly impressive and includes OG NPM/GitHub players like Isaac Schlueter, Darcy Clarke, Ruy Adorn, and Luke Karrys.

GitHub Patches Race Condition in GitHub Actions Artifacts
In August, we covered Yaron Avital’s ArtiPACKED attack vector; however, I missed the fix. GitHub, starting in upload-artifact v3.2.0-node20, no longer includes hidden files and folders by default in the action. This reduces the risk that credentials are accidentally uploaded into artifacts (which we now know is common).

GitHub Open Source Survey
GitHub shares the results of their 2024 survey, noting that the results closely resemble those from 2017 despite the more than 75 million new users. The survey repository and data can be found here.

sastsweep: analyze repositories and run semgrep scans on OSS targets
Chebuya has released sastsweep, a tool written in Go that assists in querying, filtering, and cloning open-source projects from GitHub, running Semgrep scans on the repositories to identify security vulnerabilities, and outputting results in an HTML report.

👋 I (and I’m sure many others) have worked on similar projects; it’s undoubtedly impactful when using the right Semgrep rules. If you’re interested in open-source vuln hunting, this is a good tool to experiment with!

Protect AI's (huntr.com) October 2024 Vulnerability Report
A report covering 34 total vulnerabilities impacting the OSS AI/ML supply chain space.

👋 I recently disclosed two high/critical vulns to huntr.com; they were marked as duplicates despite the original submissions being non-public and months prior. It has put a bad taste in my mouth, but I’m a big fan of the mission.

Okta AD/LDAP Auth - Username Above 52 Characters Security Advisory
On October 30, 2024, a vulnerability was identified in AD/LDAP delegated authentication. Cached Bcrypt-generated keys, under specific conditions, enabled users to authenticate without a password given certain conditions.

👋 The issue was that they concatenated the user ID, username, delimiters, and password to generate a cache key using Bcrypt. The issue is that Bcrypt supports a maximum length of 72 Bytes. This caused passwords to be truncated entirely if your username was 52 characters.

Project Zero: Using Large Language Models To Catch Vulnerabilities
The Big Sleep AI agent discovered its first real-world vulnerability, a stack buffer underflow in SQLite. It was reported and fixed on the same day, demonstrating the agent's potential to preemptively secure software by identifying critical issues before release.

👋 Very cool stuff. Don’t even read my summary; go read the full thing!

15k Cloud Credentials Stolen in Operation Targeting Exposed Git Config Files
Sysdig’s Miguel Hernández reveals how the Sysdig Threat Research Team discovered a global operation, EMERALDWHALE, targeting exposed Git configurations. The source of identification was their honeypot, which logged suspicious activity relating to an S3 bucket, s3simplisitter. Upon closer look, the public bucket contained over a terabyte of data, including compromised credentials and logging data.

Things to watch!

I am trying desperately to make time to watch some of these recordings. If you get the chance, shoot me an email telling me your favorites!

GitHub Universe 2024

OpenSSF SOSS Fusion

Until Next Time! 👋

Hey, you made it to the bottom – thanks for sticking around!

Questions, ideas, or want to chat? Slide into my inbox! 💌

Don’t hesitate to forward if someone could benefit from this.

See you next Monday!
-Kyle

P.S. CramHacks has a Supporter tier! You can upgrade here to support CramHacks and its free weekly content 😃.