[CramHacks] Newsletter #17: Trolling NPM and the headaches that followed

🥳 Happy Monday! 🥳

Software Supply Chain Security

Patrick Garrity: Vulnerability Visualizations

👋 Wanted to give a shoutout to Patrick, a Security Researcher at Nucleus Security, who puts together these incredible visualizations. Not only are they appealing to look at, but they get valuable messages across.

For example, I recently researched CISA’s Known Exploited Vulnerabilities catalog. I noticed that the list is almost entirely useless in the world of open-source supply chain security. This visualization showing what vendors are responsible for the vulnerable products makes this much more apparent. This also explains why the term ‘Microsoft’ immediately bumps vulnerabilities Exploit Prediction Scoring System (EPSS) score.

Troll: NPM Install Everything

A group of developers published an npm package, everything, which, when installed via npm, causes denial of service because, well… every single npm package is listed as a dependency.

What’s extra funny is that you can’t delete a package from npm if another package depends on it. Therefore, npm package owners everywhere cannot remove their packages from npm. The cherry on top is that this includes the packages created for this troll.

Issue thread from ‘everything’ creator

👋 While this isn’t the first time, I can appreciate a good troll, especially when it highlights a real issue in how package managers evaluate (or don’t) packages before offering them to users.

Snyk: Why should developers care about container security?

Eric Smalling, Senior Developer Advocate @ Snyk, has published a 30-minute video about the risks associated with container security and how Snyk can help identify & remediate these vulnerabilities.

Dan Lorenc: Supply Chains in AI

Dan Lorenc, Founder/CEO of Chainguard, stirs some exciting discussion around the state of supply chains for AI toolkits:

“most links lead to just random forum dumps with platform-specific 300+MB Python wheel downloads that are maintained by just a few folks that ‘got it working once’ and shared it. This space feels like we’ve gone back more than a few years in overall supply chain security.”

👋 I can’t make this up; I also spent much of my break investigating supply chain security in AI. My announcement was scheduled to be posted 30 minutes after Dan’s LinkedIn post 😆. Some great points are made here; if you find this interesting, watch my blog post! ‘

Also, if the Snyk container security video piqued your interest, look at Chainguard’s minimal, hardened images.

It's January 1st, 2024, and PyPI now requires Two-factor authentication (2FA) for all users

👋 This is a W.

Until Next Time! 👋 

Hey, you made it to the bottom – thanks for sticking around!

Questions, ideas, or want to chat? Slide into my inbox! 💌

Don’t hesitate to forward if someone could benefit from this.

See you next Monday!
-Kyle