CramHacks Chronicles #80: Weekly Cybersecurity Newsletter!

Hello, and Happy Monday!

I’ve been thinking about software supply chain security doomsday scenarios. Although I still think you’re more likely to get popped by a malicious package versus a vulnerable one, our vulnerability coverage is wildly suboptimal. I’ll continue to argue that no good samaritans are purposely searching for vulnerabilities in non-latest versions. And barely any are looking irregardless of versions.

Something as simple as keyword searches for GitHub Issues is enough to find near endless undisclosed vulnerabilities.

Pre-RSAC Announcements:

Coana Joins Socket to Lead the Next Generation of AppSec
I was rooting for Coana to make it on their own, but I’m happy for them nonetheless. This definitely boosts Socket’s potential. Although I wonder if this means furthering their vulnerability scanning, or enhancing their malicious package detection through static analysis? Or hopefully both?

Chainguard hits $3.5 billion valuation after fundraise
I’m a fan of Chainguard, but the valuation doesn’t make much sense to me with the current product offerings. And the recent product launches seem to have flopped, at least to the public eye, but they’re likely driven by some big contracts 🤷. I do think Chainguard is in a great position to be acquired. DataDog?

Endor Labs Raises $93M Series B
The valuation is reportedly “orders of magnitude higher” than their Series A 🤷. I’m not sure if they’re pivoting, but their marketing has definitely shifted to target scanning AI-generated code, as opposed to supply chain security. This might appease hype beasts but I think it’s a bad idea.

Hopper: Out of Stealth, Into the Future of Open-Source Security
Hopper is offering function level reachability analysis. Honestly, I don’t think we need another company doing this - but I suppose there’s plenty of market potential remaining. 🤑 I still think someone needs to bootstrap an affected functions database and sell it to all these companies wanting reachability.

Newsletter

Do not run any Cargo commands on untrusted projects
Sergey "Shnatsel" Davidoff details how running Cargo commands on untrusted projects can lead to malware execution. The crux is that nearly all subcommands will trigger searching for a config.toml file which can specify an alternative (malicious) rust compiler path.

👋 This includes Cargo Audit! See directly below for more details.

I am stepping back from maintaining ‘cargo audit’
Also Shnatsel, has announced stepping away from cargo audit and the RustSec security advisory database — essentially kickstarting their deprecation.

Unauthenticated Remote Code Execution in Erlang/OTP SSH
👋 Not exactly a big internet footprint, but trivial exploit.

Poutine: scan stale branches for exploitable GH workflow vulnerabilities
👋 This is a reminder that we’re just scratching the surface of supply chain risks. Nearly every tool simply looks at the latest version or main branch. Trust me . . . there are demons in the shadows.

Case in point, How I made $64k from deleted files — a bug bounty story consisted of cloning repositories, restoring deleted files, finding dangling blobs and unpacking .pack files to search for exposed API keys, tokens, and credentials.

MCP Gateway: Monitor & Manage MCP Interactions
Lasso Security open sourced a plugin-based gateway for orchestrating MCP servers.

30+ hidden browser extensions put 4,000,000 users at risk of cookie theft
Updated list of IOCs

Until Next Time! 👋

Hey, you made it to the bottom – thanks for sticking around!

Questions, ideas, or want to chat? Slide into my inbox! 💌

Don’t hesitate to forward if someone could benefit from this.

See you next Monday!
-Kyle

P.S. CramHacks has a Supporter tier! You can upgrade here to support CramHacks and its free weekly content 😃.