CramHacks Chronicles #64: Weekly Cybersecurity Newsletter!

Hi there! I hope you're having a great week so far. For those in the United States, I hope you had a wonderful Thanksgiving 🦃.

Newsletter

@solana/web3.js: Modified malicious package published to npm
The @solana/web3.js package, downloaded 400,000+ times weekly, was compromised via a publish-access account. The compromised released contains malicious code that steals private keys and funds.

👋 Supply chain attacks LOVE crypto.

U.S. officials urge Americans to use encrypted apps
Given ongoing investigations regarding a Chinese hack of telecommunications companies (AT&T, Verizon, & Lumen), U.S. officials have recommended using encrypted messaging apps.

👋 This whole thing is pretty wild. The data believed to be abused includes Call Records, Live Phone Calls, and CALEA Systems.

Census III of Free and Open Source Software
The report aggregates data from over 12 million observations of FOSS libraries across 10,000 companies, utilizing insights from SCA tools like FOSSA, Snyk, Sonatype, and Black Duck to identify the most widely used application-level FOSS packages and provide actionable insights for improving security and resource prioritization.

pip-clean: identify unused software dependencies
A tool I’m working on as part of my research on unused software dependencies in the Python ecosystem. It analyzes your project’s manifest file (like Pipfile or requirements.txt) and compares it with actual imports in your codebase.

👋 I’m making progress in detecting when a package is used and correlating distribution and package names (e.g., PYyaml gets imported as ‘yaml’).

Dependency Confusion Attacks
Paul McCarty recently commented, “bug bounty researchers are flooding npm and pypi with malicious packages trying to recreate dependency confusion on public and private programs. It's become a real problem!”

👋 On that same note, creating placeholder packages has been the recommended mitigation for dependency confusion and typosquatting. Finding a unique package name will soon be as tricky as creating a new Gmail username. Do you think these vectors should qualify for a bounty?

CNCF: Catalog of Supply Chain Compromises
The Cloud Native Computing Foundation (CNCF) hosts a catalog of supply chain compromises, detailing a summary, their impact, type of compromise, and references.

WordPress: “Really Simple Security” Auth Bypass
More than 4M WordPress sites use a WordPress plugin, “Really Simple Security,” which has recently been assigned CVE-2024-10924, a trivial authentication bypass when MFA is enabled through the plugin. Versions 9.0.0 through 9.1.1.1 are affected.

redis-rs: Future Crate Maintenance and Redis Inc. Relationship
The controller of the open-source redis-rs crate has announced that Redis Inc. expressed concerns over the crate's current state, suggesting options like a commercial buy-out, renaming due to trademark issues, or continued maintenance under Redis Inc.'s governance.

👋 Redis doesn’t have the greatest reputation in the OSS community (RIP Redis: How Garantia Data pulled off the biggest heist in open source history). This, indeed, isn’t helping.

Until Next Time! 👋

Hey, you made it to the bottom – thanks for sticking around!

Questions, ideas, or want to chat? Slide into my inbox! 💌

Don’t hesitate to forward if someone could benefit from this.

See you next Monday!
-Kyle

P.S. CramHacks has a Supporter tier! You can upgrade here to support CramHacks and its free weekly content 😃.