• CramHacks
  • Posts
  • CramHacks Chronicles #78: Weekly Cybersecurity Newsletter!

CramHacks Chronicles #78: Weekly Cybersecurity Newsletter!

Q&A w/ Linus Torvalds, #camelgate, OSS Project for auditing GH Actions, Google announces new experimental cybersecurity model, Verizon exposed call logs

Author

Kyle Kelly
April 09, 2025

Hello, and Happy Monday!

Something to think about; is there truly a market for supply chain security? Even if so, are there other markets where supply chain security products can be better marketed?

Stacklok, the creators of trusty and minder have reportedly pivoted from supply chain security to making using AI safer and more productive for developers. Arguably still supply chain security, but with a narrower focus in a booming market.

Similarly, CrashOverride has recently rebranded, changing its focus on ingesting metadata into artifacts for supply chain security, to now building an Engineering Relations Management (ERM) solution. Connecting the dots across code, cloud, builds, deployments, and more. Which you might do by ingesting metadata into artifacts? 😅 But again, perhaps this comes with improved marketability.

A Little piece of history: npm left-pad incident
Why don’t registries allow deleting packages? Well, it’s because of history! One incident occurred in 2016, where a maintainer deleted a package after a naming dispute; the package was named kik, and the company Kik Messenger didn’t like that 😅. Upon it’s removal, thousands of software projects which depended on the package were unable to be built or installed. 🎉 

Upcoming Events

How best to educate folks of software supply chain security risks? Speak the truth 🤔.

It sounds simple, but the average person isn’t (usually) wondering “how might a malicious actor compromise my build environment, pipeline, or deployment. That’s what I’m here for 😈.

I’m looking forward to spreading the word by discussing software package vulnerabilities, malicious packages, and software integrity 🧠. If you’ll be at either of these upcoming events, let me know!!

Newsletter

Git turns 20: A Q&A with Linus Torvalds
👋 The full video should be available soon (at the same link), but reading the transcript was insightful on its own. Keep in mind that I was in elementary school 20 years ago, so this is basically a history for me.

The Q&A briefly touches on the design decision to use SHA-1, a common complaint that led to a rather large transition project to instead use SHA-256. “to me, SHA-1 hashes were never about the security. It was about finding corruption.”-Linus Torvalds

tj-actions/changed-files Incident: Full Events
👋 These events took place over four months, and there were some significant gaps in activity. This is usually good signal that the threat actor is apart of some organized group, although nothing is for certain. Given prior heists targeting crypto-platforms, this won’t be the last attempt.

Audit GitHub Actions used in workflow runs for an organization, Enterprise or repository
GitHub’s Paul Hodgkinson has open-sourced an unofficial tool for auditing workflow runs; as the title suggests 😉. The tool allows for listing workflow runs between specified dates, along with the Actions, their specific versions, and commits used.

👋 There’s also a script for checking exposed secrets caused by the tj-actions/changed-files and reviewdog compromises mentioned above. I suspect this tool will come in handy.

Google announces Sec-Gemini v1, a new experimental cybersecurity model
The model reportedly outperforms others in cybersecurity benchmarks (CTI-MCQ & CTI-RCM) thanks to integrations with Google Threat Intelligence, and OSV.

👋 Currently not available to the public, but you can request early access here. I think this is too early for me to get excited over, but it’s giving me something to look forward to!

Verizon: Hacking the Call Records of Millions of Americans
Researcher Evan Connelly identified a public endpoint that leaked call logs when provided with a Verizon phone number. The endpoint is intended to be used by the Verizon Call Filter iOS app, but did not perform meaningful authorization checks, despite requiring a JWT.

#camelgate: Can't install camelcase, decamelize and other camel packages
On April 1st, the ‘camel’ keyword broke the internet. Cloudflare deployed a change to their WAF ruleset that blocked sites containing the 'camel’ keyword due to the Apache Camel Remote Code Execution vulnerability (CVE-2025-29891).

👋 I could’ve been convinced that this was an April Fools joke, but it’s not. I first heard of this because projects were failing builds due to npm registry request being blocked. But I see other platforms were affected, like Stackoverflow, where opening a question with ‘Camel’ in the name led to an error page 🤦.

Until Next Time! 👋

Hey, you made it to the bottom – thanks for sticking around!

Questions, ideas, or want to chat? Slide into my inbox! 💌

Don’t hesitate to forward if someone could benefit from this.

See you next Monday!
-Kyle

P.S. CramHacks has a Supporter tier! You can upgrade here to support CramHacks and its free weekly content 😃.