CramHacks Chronicles #67: Weekly Cybersecurity Newsletter!

Happy New Year🥂🎊! I hesitated about releasing a newsletter today, but I’m trying to get back into my routine, so I figured, why not? However, this week will be a bit light as I haven’t been following the industry as closely as I usually am 🙂.

In addition to the weekly newsletter, Cramhacks released nine blogs in 2024; here they are sorted by popularity:

Dirty Little Secrets of Vulnerability Management

Vulnerability Databases: Is China's CNNVD Superior to the US NVD?

Beyond the CVE: Analyzing the Depth of GitHub Security Advisories

The Bug Bounty Gold Mine: AI/ML third-party packages

Stop F@#!ing (Forking) Your Dependencies

Why I Signed: An Open Letter to Congress on the NVD

Stop Detecting, Start Fixing: Dependency Upgrades as the Real Solution

Are Automated PRs Closing the Gap in Dependency Updates?

From Penetration Testing to Security Research and Beyond

Newsletter

Microsoft: (Critical) .NET Install links are changing
Subdomains ending in inazureedge[.]net will no longer host .NET builds as of early 2025. Despite Microsoft using these domains for many years, they are hosted by edg.io, which is closing its doors due to bankruptcy.

👋 I have to assume there is some business justification for using domains owned by a third party, but I’m having trouble agreeing with this.

The OSS Podcast: The Future of Open Source Security
Josh and Kurt have decided to end the OSS Podcast. However, they are not giving up open-source security cold turkey; check out the link for their plans. I’m very grateful for Josh, Kurt, and the podcasts, which have been tremendously helpful in learning the history of the space.

hackers hijacked more than 35 Google Chrome extensions
Chrome extension developers were targeted by a phishing campaign impersonating Google, claiming that they needed to update their extension metadata. The email contains a link that redirects to a malicious OAuth application that, once authenticated, grants permissions to manage the users’ Chrome Web Store extensions.

👋 OAuth permissions have struck again! This is a growing concern, so try to stay ahead of the curve.

Cacheract: The Monster in your Build Cache
Following the recent ultralytics PyPI package compromise, which abused cache poisoning, Adnan Khan released this blog post detailing how he achieved cache-native malware in GitHub Actions build pipelines.

👋 He also released the tool for red teamers to demonstrate the impact of insecure GitHub Actions CI/CD caching configurations on their assessments. GitHub

Until Next Time! 👋

Hey, you made it to the bottom – thanks for sticking around!

Questions, ideas, or want to chat? Slide into my inbox! 💌

Don’t hesitate to forward if someone could benefit from this.

See you next Monday!
-Kyle

P.S. CramHacks has a Supporter tier! You can upgrade here to support CramHacks and its free weekly content 😃.