• CramHacks
  • Posts
  • CramHacks Chronicles #68: Weekly Cybersecurity Newsletter!

CramHacks Chronicles #68: Weekly Cybersecurity Newsletter!

Veracode Acquires Phylum, AWS RCE Vulnerabilities, Elastic CVE Reduction, 2024 CVE Review, PyPI Quarantine, Bundler Checksums, Python Malware Detection

Author

Kyle Kelly
January 08, 2025

Hello, I hope you’re having a great week thus far!

I’ve been living it up lately. While I’m incredibly excited about my new role, I’ll surely enjoy my last few weeks of unemployment 😃.

🙏 My thoughts are with everyone in the LA area affected by the ongoing wildfires. I hope you all stay safe!

Newsletter

Veracode Acquires Phylum, Inc. Technology
👋 Previous newsletters have covered Phylum’s research on malicious software packages. On Monday, Veracode announced the acquisition. Kudos to Phylum for all their great work, and I wish you the best in your future endeavors!

AWS introduced same RCE vulnerability three times in four years
Giraffe Security (yet again) proves that the usage of pip install --extra-index-url= is risky when not also owning the package name on PyPI, especially if you’re AWS and publicly disclose which dependencies are being installed via the alternative (non-PyPI) package registry.

Elastic: Reducing CVEs in Elastic container images
Elastic’s Maxime Greau shares how they reduce CVE counts by using chainguard images, verifying signatures with cosign, and automating the maintenance of software dependencies via Renovate. Note that these wolfi-based images are not the default, primarily to avoid breaking user environments that rely on Ubuntu packages.

👋 I was curious about how RapidFort’s community images compared since it would not require adapting for wolfi-os. Their latest elasticsearch image is for v7.17.26 and reduces the vulnerability count from 34 to 16 (per their report). They also offer a curated image (paid) for v8.16.1 with zero reported vulnerabilities.

2024 CVE Data Review
Jerry Gamblin released his annual CVE Program report, which contained many interesting data points. According to the report, more than 40,000 CVEs were published in 2024 (up from 28,818 in 2023). Of these, 231 received a perfect 10.0 CVSS score, 6,227 were assigned CWE-79 (cross-site scripting), and 6,292 were assigned no CWE.

PyPI Project Quarantine
Mike Fiedler (AKA MikeTheMan) details PyPI’s quarantine feature, which prevents users from installing suspicious packages before deciding whether to remove them or make them public again. This allows the maintainer time to make needed fixes. This feature also opens the door for future automation, reducing the time a malicious package persists on the registry.

Why Bundler Checksums Are a Game-Changer for Your Applications
Maciej Mensfeld highlights RubyGems Bundlers’ latest version (2.6.2) 's support for checksums. The article also discusses two prominent attacks that support this feature's importance. 

👋 At first, I was stunned that RubyGems had taken this long to catch up, and maybe I still am. But it’s a matter of perspective. It’s primarily a community-driven effort, and after reviewing the project’s threads, it’s no wonder it took so long. There’s a ton of work involved—kudos to all those involved.

Detecting Python Malware in the Software Supply Chain with Program Analysis
Researchers from the National University of Singapore and Oracle partnered on this paper detailing HERCULE, an inter-package analysis tool to detect malicious packages in the Python ecosystem. The tool leverages (3) primary strategies to detect malware:

  1. Assessing the integrity of a distributed package in relation to its source code repository through AST differential analysis,

  2. dataflow analysis using CodeQL to identify suspicious data flows, and

  3. analysis of transitive dependencies to detect packages that import other identified malicious packages as dependencies.

👋 I may share more about this next week, as I haven’t had time to digest the benchmark results and edge cases. The MIT-licensed source code is available here.

Until Next Time! 👋

Hey, you made it to the bottom – thanks for sticking around!

Questions, ideas, or want to chat? Slide into my inbox! 💌

Don’t hesitate to forward if someone could benefit from this.

See you next Monday!
-Kyle

P.S. CramHacks has a Supporter tier! You can upgrade here to support CramHacks and its free weekly content 😃.