CramHacks Chronicles #63: Weekly Cybersecurity Newsletter!

Hi there! I hope your week is going well so far.

Even though I’m currently unemployed, I don’t think I’ve ever worked this hard. Seeing how much I can achieve when I focus solely on what excites me has been amazing. Behind the scenes, I’m creating a free course on software supply chain security, focusing on package security. I’ll open it up to external contributors once the foundation is there!

Newsletter

Linpeas[.]sh Hosting Malicious Fork
If you’ve ever done offensive security in a Linux environment, you’ve likely heard of or used linPEAS. Someone has purchased the domain linpeas[.]sh, which hosts a linPEAS release but with a sneaky line that sends data like hostname, username, kernel details, pwd, and env variables to a third-party server.

👋 The GitHub source code does not contain this enumeration/exfiltration, and linPEAS maintainer Carlos Polop has stated that he does not own the domain.

Ecosyste.ms
Combines data from package registries, repositories, vulnerability databases, containers, and operating systems, publishing it publicly with APIs for researchers, policymakers, developers, and funders to identify critical projects needing support.

👋 AFAIK this is the most comprehensive dataset for open-source projects. It’s not new, but I recently used it and figured it deserved a mention!

A Labeled Dataset Targeting Simulated Open-Source Package Execution
Zhuoran Tan, Christos Anagnostopoulos, and Jeremy Singer from the University of Glasgow have labeled a dataset of 9,461 OSS packages (1,962 malicious packages) with verified information and detailed sub-labels for attack types. To do so, they leveraged OpenSSF’s malicious-packages repository and OpenSSF’s Package-Analysis dataset to simulate package execution.

👋 This dataset is intended for training machine learning models to detect malicious behaviors, identify vulnerabilities, and enhance OSS security.

Arch Linux: Add RFC for upstream package source handling [Open]
The proposed Arch Linux RFC seeks to provide clear guidelines on best practices when handling upstream sources and enhance package security by defaulting to transparent and cryptographically verifiable upstream sources.

Falling Stars: Combatting Starjacking
Checkmarx’s Eugene Rojavski shares findings from researching more than 20 package repositories and their current state regarding Starjacking.

👋 In 2022, Checkmarx reported that 3.03% of PyPI packages had a non-unique Git reference. Today, PyPI only displays GitHub statistics in the verified details section, which appears exclusively for packages uploaded via a Trusted Publisher.

“Gitting” the Malware: How Threat Actors Use GH Repos to Deploy Malware
Crowdstrike’s MDR Team discloses how threat actors abuse misconfigured GitHub Repository wikis in popular repositories to redirect users to downloading malware hosted by an unknown GitHub account. When enabling Wikis in a repository’s features, there’s a separate checkbox for “restrict editing to collaborators only.”

👋 The most popular repository abused has over 140,000 stars 🤯.

2024 CWE Top 25 Most Dangerous Software Weaknesses
At a glance, I’m counting six memory-related CWEs in the top 25. Looking at KEV CVEs, I counted 31 CVEs for memory-related CWEs out of 79 (39.2%).

Google: Leveling Up Fuzzing: Finding more vulnerabilities with AI
Oliver Chang, Dongge Liu, and Jonathan Metzman from the Google Open Source Security Team detail how they’ve been leveling up fuzzing using AI. These enhancements have directly led to the discovery of 26 new vulnerabilities.

👋 Leveraging AI, they’ve grown coverage to 272 C/C++ projects on OSS-FUZZ, adding 370K+ lines of new code coverage.

A Comprehensive Guide to Python Project Management and Packaging
Currently, a two-part series covering everything you’d ever want to know and more about Python project management and packaging. If you enjoy this, please reach out because you are my people 🤣.

Until Next Time! 👋

Hey, you made it to the bottom – thanks for sticking around!

Questions, ideas, or want to chat? Slide into my inbox! 💌

Don’t hesitate to forward if someone could benefit from this.

See you next Monday!
-Kyle

P.S. CramHacks has a Supporter tier! You can upgrade here to support CramHacks and its free weekly content 😃.