CramHacks Chronicles #75: Weekly Cybersecurity Newsletter!

Hello! I hope that you are having a great week thus far 🙂.

Recently, I've been interested in understanding how many contributors are involved with a given piece of software. So far, I've only tested with a tiny SBOM containing less than 50 packages, but still, I’ve counted almost 2,500 total contributors. And that’s with several known limitations in my tooling. I intend to make the repo public in the coming weeks. I have no practical use for it; I was just interested 🤷.

P.S. CramHacks will be getting more love soon; I’m excited to work on improving the quality of this newsletter and future blogs ❤️.

Newsletter

how to gain code execution on millions of people and hundreds of popular apps
Self-proclaimed (un)professional hacker xyz3va shares how she could’ve injected malware into hundreds of popular applications after compromising secrets used by todesktop.

👋 Like her, my first reaction was, "What the hell is to desktop?" It turns out that it's a service that transforms electron apps into cross-platform desktop apps with native functionality. So, applications like Linear and (previously) Cursor don't directly distribute desktop apps to consumers; they instead rely on todesktop.

As a proof-of-concept, xyz3va injected a reverse shell into a postinstall script and sent it to todesktop to be built and the SDKs created. This was successful, and upon digging, she uncovered stored secrets in the container. This enabled her to deploy malicious updates to other apps, such as linear and cursor, which millions use.

Generating Software Bill of Materials a.k.a SBOMs at scale for Atlassian
Software Engineer Sahil Seth shares why and how Atlassian built their centralised SBOM platform. Produced SBOMs consist of aggregated data from three tools: syft, cdxgen, and cyclonedx-maven-plugin. So far, the tooling has created over 1 million SBOMs, listing over 1.8 billion packages—92,000 unique packages, with more than half coming from npm.

UK: Open source software best practices and supply chain risk management
👋 In my opinion, this title is a bit misleading. Nonetheless, it’s a valuable resource, and they clearly put a lot of effort into understanding the current status of open-source software management.

My only issue is that there are so many references to misrepresented data. I just grabbed the first one I saw as an example: “Larger organisations (>5000 employees) are more likely to have an internal legal team familiar with OSS licensing when compared to small organisations (<100 employees) 31.46% vs 22.30%, respectively.”

There is no way in hell that 22% of small organizations have an internal legal team familiar with OSS licensing.

Or “OSS vulnerabilities grew by 50% year-on-year — from just over 4,000 in 2018 to over 6,000 in 2019.” which came from a WhiteSource (now mend.io) report that is no longer accessible. However, with some logical thinking, in 2019, we didn’t have anything close to the level of open source vulnerability data. I’d argue that we don’t even know how many CVEs there are for open source projects in 2024.

CVE.org “CVE Data Usage and Satisfaction Survey” — Ends April 4, 2025
👋 The CVE Program is asking industry professionals to complete this survey before April 4th, 2025. The program seems to be progressing, perhaps partly due to support from CISA, but there’s still a long way to go. On the other hand, the NVD continues to be in shambles. Maybe there’s a connection 👀?

Until Next Time! 👋

Hey, you made it to the bottom – thanks for sticking around!

Questions, ideas, or want to chat? Slide into my inbox! 💌

Don’t hesitate to forward if someone could benefit from this.

See you next Monday!
-Kyle

P.S. CramHacks has a Supporter tier! You can upgrade here to support CramHacks and its free weekly content 😃.