CramHacks Chronicles #73: Weekly Cybersecurity Newsletter!

Happy Monday, all!

Dear Software Supply Chain Security,

I’m losing interest in writing these newsletters. It’s not you. It’s me. There’s too much to cover, and thus, I rarely have the time to dig deeper into topics that interest me.

What’s changing? Well, maybe nothing—but don’t be surprised if you get a brain dump every now and then instead of a newsletter with several articles. As an example, I think it’d be neat to look at the 12 supply chain incidents reported by Kaspersky, identify what mitigations are available, and identify where we need to do better as an industry.

Newsletter

Vulnerability-Lookup 2.6.0 Released
The latest version introduces real-time tracking of critical components and an email notification service that sends users information about new and updated vulnerabilities.

👋 The vulnerability-lookup project “facilitates quick correlation of vulnerabilities from various sources, independent of vulnerability IDs, and streamlines the management of Coordinated Vulnerability Disclosure (CVD).” The repository can be found here, and a public instance maintained by Computer Incident Response Center Luxembourg (CIRCL) is available here.

PortSwigger’s Top 10 web hacking techniques of 2024
This top 10 blog covers what the community has determined to be the “most innovative must-read web security research” articles published in the last year. Here are the top 3!

1. Confusion Attacks: Exploiting Hidden Semantic Ambiguity in Apache HTTP Server

2. SQL Injection Isn't Dead: Smuggling Queries at the Protocol Level

3. Unveiling TE.0 HTTP Request Smuggling

whoAMI: A cloud image name confusion attack
DataDog’s Seth Art details a name confusion attack targeting AWS’s community AMI catalog, dubbed “whoAMI.” Approximately 1% of DataDog's customers were found to be vulnerable, and other prominent enterprises, including AWS, were also identified as at risk.

👋 In December 2024, AWS released Allowed AMIs, where users can maintain a list of allowed trusted AWS accounts as AMI providers. 2025 is the year we worry about AI taking over the world, while also trying to figure out how to name and catalog things 🙃.

Kaspersky: The biggest supply-chain attacks in 2024
Alanna Titterington briefly summarizes the most prominent supply-chain attacks for each month of 2024.

👋 My team at GitHub owns artifact attestations and is heavily involved with the sigstore project. It's awesome to know that what the team has built and is iterating on plays a major role in mitigating many of the risks abused in these incidents.

OSV Trends: Malicious Code & Vulnerabilities in Software Supply Chains
👋 Interesting data overall! But I was mostly surprised that 2024 wasn’t the peak year for some significant ecosystems. I think we’d all assume PyPI experienced the most malware in 2024—I predict that this is a data collection issue.

Until Next Time! 👋

Hey, you made it to the bottom – thanks for sticking around!

Questions, ideas, or want to chat? Slide into my inbox! 💌

Don’t hesitate to forward if someone could benefit from this.

See you next Monday!
-Kyle

P.S. CramHacks has a Supporter tier! You can upgrade here to support CramHacks and its free weekly content 😃.