CramHacks Chronicles #74: Weekly Cybersecurity Newsletter!

Happy Monday, all! I hope you’re having a great week thus far.

Life update: I've been in my new role for just over a month, and because of it, you’ll probably start seeing more content about supply chain integrity. I’m particularly interested in (trying to) simplify its value in regard to supply chain security and predictions/visions for how all these pieces fit together to solve today’s risks.

If you missed it last week, check out our most recent blog, Lessons Learned from 2024's Supply Chain Attacks 🙂.

Newsletter

Abusing VS Code’s Bootstrapping Feature To Quietly Load Malicious Extensions
Red teamer Cas van Cooten details how to abuse the VS Code “Bootstrapping” feature to install and run malicious extensions silently without triggering the new publisher trust prompt.

👋 As malicious packages grow in complexity, I suspect we’ll see more of a focus on compromising developer tools instead of dropping generic malware. A compromised IDE is certainly of high-value.

Black Duck: 2025 Open Source Security and Risk Analysis Report
The report uses data from evaluating anonymized findings from 965 commercial codebases. Seventy percent of the scanned code originated from open source, and applications contained, on average, 911 OSS dependencies. The report also covers insightful risk data, noting that over half of the codebases contained conflicting license data, and 81% contained high- or critical-severity vulnerabilities.

BIDS: Binary Identification of Dependencies with Search
BIDS, an NLNET Foundation-sponsored project, aims to deliver tooling for analyzing ELF binaries and extracting dependency details for indexing and searching. Features include analyzing projects, searching indexed information, and generating SBOMs.

👋 The project is currently at v0.2.0 (pre-major release), but I’m sure there are people out there who need a way to index and query ELF binary dependency information. This might be your new favorite tool!

OpenSSF: Open Source Project Security Baseline
The OpenSSF has published the OSPS Baseline, a set of security criteria organized by project maturity level and category. The level of detail is impressive at first glance, and I see this being very useful, especially thanks to the mappings to external frameworks.

3 Dimensions of Versioning Problem
Pavel Shukhman's blog discusses CalVer and SemVer and their application when assigning or interpreting software versions. It provides a great introductory overview and links to the cold, hard specs. 

👋 I’m scared that I will grow up to be an angry old man who yells at kids to care about versioning.

Mixing up Public and Private Keys in OpenID Connect deployments
Hanno Böck analyzed roughly 13,000 hosts with valid OpenID Connect configurations and corresponding JSON Web Key Sets. Overall, 33 hosts were vulnerable to risks: exposed private keys, 512-bit RSA keys, and using example keys in production.

👋 As Hanno points out, the JSON Web Key Set format allows a private key to work where a public key should be used instead. Since the private key is essentially the public key, but with additional values, this is less than ideal. As a side note, this blog is beautifully written. I don't know. I just really enjoyed reading it, and I learned a good bit!

Guard your Codebase: Practical Steps and Tools to Prevent Malicious Code
Apiiro’s Matan Giladi shares the open sourced malicious-code-ruleset and PRevent repositories that, when used together, leverage custom Semgrep rules to identify malicious behaviors in software packages while identifying them in GitHub PRs.

Until Next Time! 👋

Hey, you made it to the bottom – thanks for sticking around!

Questions, ideas, or want to chat? Slide into my inbox! 💌

Don’t hesitate to forward if someone could benefit from this.

See you next Monday!
-Kyle

P.S. CramHacks has a Supporter tier! You can upgrade here to support CramHacks and its free weekly content 😃.