CramHacks Chronicles #65: Weekly Cybersecurity Newsletter!

Hello! I hope you’re having a great week thus far 🙂.

This week, many annual reports are being released, and as a data enthusiast, I’ve covered a few in this issue. While these reports are packed with insights, it’s worth noting they often serve marketing purposes. I’ve shared my thoughts and flagged some of the more questionable claims below.

Newsletter

What sucks in security? Research findings from 50+ security leaders
Maya Kaczorowski asked 57 security leaders, “What sucks in security,” and identified their top 3 security issues, access management, vulnerability management, and SaaS logs.

👋 Maya has an impressive track record of working on the “next” thing. These insights are invaluable for folks looking to do similar.

Google’s Vanir: Open-source Security Patch Validation
Introduced at Android Bootcamp in April, Vanir generates signatures for security advisory patches and leverages static analysis to identify missing patches in your project’s source code.

👋 Noteworthy: It’s currently used for Android, but Google hopes it can be used for other targets. The next steps section mentions potentially using Vanir for problems like C/C++ dependency management 😎.

The Ultralytics workflow vulnerability
William Woodruff, the creator of Zizmor (A static analysis tool for GitHub Actions), breaks down how a malicious actor abused “pull_request_target” in a GitHub workflow to obtain code execution, exfiltrated a cache token, poisoned the pip cache used by setup-python, and injected malicious changes into the release distributions.

👋 Some inferences are made, but the article provides more details to support them! Notably, Ultralytics uses trusted publishing for PyPi releases. Seth Larson from the Python Software Foundation shares what went right and what can be improved.

Supply-Chain Firewall: Preventing Malicious Open Source Packages
Datadog’s Ian Kretz announces the open-source supply-chain-firewall project that essentially wraps pip and npm to prevent installing malicious packages (based on osv.dev and Datadog’s malicious packages datasets).

Annual Reports

Cycode: The State of ASPM 2025
Insights include GenAI exacerbating the unmanageable attack surface, tool sprawl, blindspots, code volume, leaders losing track of budgets, compliance changing AppSec, security and developer relations, and more.

👋 Tool sprawl is a massive issue; 73% of respondents report using 81-100 security tools across their security and developer teams. Meanwhile, 77% admit their organization does not fully understand where their annual budget is spent. Maybe we need a security tooling budget startup; are there any interested investors? 😆

The OpenSSF 2024 Annual Report
Highlights of OpenSSF’s 2024 achievements via its 37 technical initiatives spread across eight working groups. One highlight was that nearly 63,000 unique GitHub projects were using Sigstore to sign artifacts and attestations at the time of writing. I am excited to see where this number is next year.

Snyk: 2024 State of Open Source Security
👋 Honestly, something doesn’t feel right about this report. It doesn’t mention how many respondents there were or whether they are Snyk customers. This is important when making statements like “Slowing progress in OSS security efforts and signs of AppSec exhaustion” and “Supply Chain Security Remains Immature.” It’s worth a read, but I don’t trust that I interpret the data correctly.

Sonatype: 2024 in Open Source Malware
Since tracking began in 2019, Sonatype has identified nearly 780K pieces of open-source “malware,” of which 98.5% are for npm. 🤔 

👋 The messages are very explicit, but the details suggest a serious lack of confidence. 64.75% are considered “potentially unwanted applications,” the report states, “While a PUA may not seem outright malicious, they could contain spyware, adware, or tracking components.” Hence, I’ve placed malware in quotes 😁.

Until Next Time! 👋

Hey, you made it to the bottom – thanks for sticking around!

Questions, ideas, or want to chat? Slide into my inbox! 💌

Don’t hesitate to forward if someone could benefit from this.

See you next Monday!
-Kyle

P.S. CramHacks has a Supporter tier! You can upgrade here to support CramHacks and its free weekly content 😃.