CramHacks Chronicles #69: Weekly Cybersecurity Newsletter!

Hey all! I’ve been struggling lately with screen time, regularly exceeding 6+ hours daily on my mobile device alone. If anyone has suggestions, don’t be shy 🙂.

I’ve blocked off focus time on my calendar when I’m not allowing myself to use technology—in the morning and before bed. Today is day two, and sheesh, it is hard not to grab my phone first thing in the morning.

Newsletter

Google’s OSV: The Year in Review
The OSV team has released a summary of OSV’s growth in 2024 and plans for 2025. This includes the adoption of the OSV Schema by four major Linux distributions (Ubuntu, Chainguard, Red Hat, and SUSE/openSUSE), now supporting 30 total ecosystems.

We only know the affected functions for less than 1% of OSS vulnerabilities
👋 This is the latest CramHacks blog post! I delve into the publicly available datasets (OSV, GHSA, RustSec, and GoVuln) containing affected functions for OSS vulnerabilities. This is the key for SCA providers to offer reachability analysis.

How to secure your GitHub Actions workflows with CodeQL
Alvaro Munoz details how GitHub disclosed over 90 vulnerabilities in 75 GitHub Actions workflows affecting open source projects. As of December, CodeQL support has been added for GitHub Actions, and new packs have been released for improved detection. The blog also covers the CodeQL improvements necessary for effective scanning, such as improving the representation of GitHub workflow syntax at the AST level and introducing taint tracking support.

Snyk deploys malicious packages targeting Cursor
Paul McCarty discovered and disclosed a malicious npm package suspected of targeting Cursor with a dependency confusion attack. To the community’s surprise, Paul revealed that the threat actor in this case is Snyk! Danny Allan, Snyk's CTO, publicly responded—not apologizing but doubling down, suggesting that there will be more to come.

👋 I understand this is a gray area to some, but there’s no reason to target environment variables for exfiltration. Although this could also get you in trouble, I don’t think the community would be responding as harshly if they exfiltrated a hostname instead.

Fuzzing the CNCF landscape in 2024
CNCF and Ada Logics recap the impact of CNCF Fuzzing Audits in 2024. Three audits were completed, and a fourth is in progress. The projects were Lima, Keycloak, and Opentelemetry Collector. Many of the CNCF projects’ fuzzing suites run via OSS-Fuzz, which found ~10 bugs per month in relevant projects.

Rsync vulnerabilities allow remote code execution
The newest version of rsync, v3.4.0, fixes six vulnerabilities. AlmaLinux OS Foundation, Arch Linux, Gentoo Linux, NixOS, Red Hat, SUSE Linux, and Triton Data Center are confirmed to be affected.

“The first two vulnerabilities (heap buffer overflow and information leak) allow a client to execute arbitrary code on a device that has an Rsync server running. The client requires only anonymous read-access to the server, such as public mirrors. Additionally, attackers can take control of a malicious server and read/write arbitrary files of any connected client. Sensitive data, such as SSH keys, can be extracted, and malicious code can be executed by overwriting files such as ~/.bashrc or ~/.popt.”

👋 Linux mirrors are outside my expertise, but, IIRC, those like Arch rely on public mirrors running rsync for distribution😬.

pnpm Introduces Default Block on Lifecycle Scripts
As of pnpm v10, lifecycle scripts of dependencies are not executed during installation by default. To allow, you must list them in the project’s package.json file under the pnpm.onlyBuiltDependencies field.

👋 The official PR discusses this further. This seems like a no-brainer, and I'm glad to see it implemented!

Until Next Time! 👋

Hey, you made it to the bottom – thanks for sticking around!

Questions, ideas, or want to chat? Slide into my inbox! 💌

Don’t hesitate to forward if someone could benefit from this.

See you next Monday!
-Kyle

P.S. CramHacks has a Supporter tier! You can upgrade here to support CramHacks and its free weekly content 😃.