CramHacks Chronicles #72: Weekly Cybersecurity Newsletter!

Happy Monday, all!

Some of you have pointed out that this newsletter is sent on Wednesday, AKA the third Monday of the week. The TL;DR is that I’ve been known to say “Happy Monday” every day, just for lols.

At first, it was for irony, given that everyone says “Happy Friday” and then makes dreadful comments about Monday. But I figure if I’m going to advocate for Mondays, we need to celebrate every day 😎.

Newsletter 

OPA Gatekeeper Bypass Reveals Risks in Kubernetes Policy Engines
Aqua demonstrates how a missing trailing slash led to a k8sallowedrepos policy bypass. The Rego function used for the constraints repo parameter performed prefix matching. Therefore, without a trailing slash, the constraint would not apply to unapproved repositories that shared the specified prefix.

Importing Phantoms: Measuring LLM Package Hallucination Vulnerabilities
👋 This will not surprise those who have used AI to write code, but it’s always nice to have data!

Faster pip installs: caching, bytecode compilation, and uv
Itamar Turner-Trauring compares pip and uv performance and points out that, unlike pip, uv does not enable bytecode compilation by default. Points mentioned for why uv is faster are:

1. It is written in Rust, a faster language than Python.

2. Downloads packages in parallel.

3. Takes advantage of multiple CPUs.

4. Disables the bytecode compilation by default, having it be opt-in as opposed to pip’s opt-out.

Reviving Abandoned S3 Buckets: 8 million requests in 2 months
WatchTowr details the dumpster fire that occurs when registering ~150 abandoned Amazon S3 buckets. Within two months, these registered buckets received more than 8 million requests.

👋 It's pretty wild. Imagine all the IOT devices that will forever contact abandoned S3 buckets looking for firmware updates.

Maven: Central Publisher Portal now validates Sigstore signatures
Sigstore signatures are now validated during artifact publishing on the Central Publisher Portal, with warnings for invalid signatures. PGP signatures remain required and supported. Although Sigstore signatures are currently optional, invalid ones will eventually block deployments, paving the way for future security enhancements like in-toto attestations.

CISA: Contec CMS8000 Contains a Backdoor
CISA analyzed three firmware versions of the Contec CMS8000 patient monitor and found a backdoor with a hard-coded IP address and vulnerabilities that could lead to patient data exposure and remote code execution. Contec Medical Systems is a global medical device and healthcare solutions company headquartered in China.

Navigating Global Regulations and Open Source: US OFAC Sanctions
The Linux Foundation discusses challenges posed by U.S. OFAC sanctions restricting transactions with certain countries and entities and key considerations for open source developers.

PyPI Now Supports Project Archival
PyPI now allows project maintainers to mark their projects as archived, signaling that no further updates or security fixes will be provided.

Go Supply Chain Attack: Exploits Go Module Proxy Caching for Persistence
Socket’s Kirill Boychenko shares how a malicious Go package revealed a persistence technique abusing the Go Module Proxy cache. The attacker cached their malicious package and then rewrote the GitHub tag to erase evidence of the malicious code within the project’s repository.

Until Next Time! 👋

Hey, you made it to the bottom – thanks for sticking around!

Questions, ideas, or want to chat? Slide into my inbox! 💌

Don’t hesitate to forward if someone could benefit from this.

See you next Monday!
-Kyle

P.S. CramHacks has a Supporter tier! You can upgrade here to support CramHacks and its free weekly content 😃.