- CramHacks
- Posts
- CramHacks Chronicles #77: Weekly Cybersecurity Newsletter!
CramHacks Chronicles #77: Weekly Cybersecurity Newsletter!
Compromised GitHub Actions, IngressNightmare, WIZ Vuln DB Fail, Chainguard VMs & Libraries, $3M to find suspicious open source contributors
Hello, and Happy Monday!
Life Update: We’ve built a home gym in our garage, and I’m now jacked. It has technically only been a week, but most of you will probably never see me in real life, so who cares?
We also tried to replace the sink in our bathroom. This was going great until we had a big hole in the wall and broken tiles. Computers never hurt me like home improvement projects do.
💻️ I’m working on a blog about the Go Module Mirror. TL;DR: I feel a need to understand its intentions better. One would assume that a command like, go get github.com/org/package_name
would directly pull the package from GitHub, but that’s not necessarily true.
The Wiz Special:
GitHub Action supply chain attack: reviewdog/action-setup
Rami McCarthy investigates the root cause and intentions of the recently compromised tj-actions/changed-files GitHub Action. Reporting that the malicious actor was targeting Coinbase and that the tj-actions[bot] PAT token was compromised after poisoning the reviewdog/action-setup GitHub Action—an action used by tj-actions/eslint-changed-files and would have access to the tj-actions[bot] PAT token.
IngressNightmare: Unauthenticated RCE Vulnerabilities in Ingress NGINX
WIZ researchers disclosed a vulnerability in the Ingress NGINX Controller that enables network users to inject an arbitrary NGINX configuration by sending a malicious ingress object to the admission controller.
“To be clear, gaining initial access to a cluster's pod network is not as difficult as one might think - containerization on its own is not a strong security boundary, and many applications running on K8s are susceptible to container escape” -WIZ
WIZ Vulnerability Database
The WIZ team has launched a vulnerability database that aggregates vulnerability data from many sources. Reports generated using AI and metadata, such as “Has Public Exploit?” seem questionable, to say the least.
💩 The vulnerability database is untrustworthy, and if I had that influence, I would probably shut it down. Someone clearly doesn’t understand the EPSS model, and the technology assignments are wildly inaccurate. I haven’t even bothered to look at the more specific details.
But I like the “High Profile” section—the ones I’ve read were clearly written/reviewed by a knowledgeable human. Keep that, and partner with Google’s osv.dev for better-quality data.
Chainguard Assemble
This looked like a great event, and they released a lot of content yesterday. But Chainguard should’ve published a “Chainguard Assemble Event Overview” highlighting the newly launched products. There is an overview page, the first Google result, but no product information. Marketing miss!
📰 I have no insights on the effectiveness of either of these product launches, but the launch itself is lacking big time. IMO, Chainguard doesn’t seem to be excited about these, so why should I be? . . . However, I think Chainguard Libraries is a cool idea and should be straightforward for packages adhering to reproducibility standards. Not sure what the answer is for the vast majority that don’t.
Chainguard VMs
“Host containers on optimized, minimal, zero-CVE virtual machine images rebuilt from source daily for ephemeral cloud instances.”
Chainguard Libraries
“Consume libraries continuously built from source in Chainguard’s SLSA Level 2 build infrastructure, eliminating supply chain attacks at build and distribution phases of the package lifecycle.”
Until Next Time! 👋
Hey, you made it to the bottom – thanks for sticking around!
Questions, ideas, or want to chat? Slide into my inbox! 💌
Don’t hesitate to forward if someone could benefit from this.
See you next Monday!
-Kyle
P.S. CramHacks has a Supporter tier! You can upgrade here to support CramHacks and its free weekly content 😃.