• CramHacks
  • Posts
  • CramHacks Chronicles #83: Weekly Cybersecurity Newsletter!

CramHacks Chronicles #83: Weekly Cybersecurity Newsletter!

Exploring npm vulnerabilities, Kyverno introduces ImageValidatingPolicy, XBOW reaches Highest Rank on HackerOne Leaderboard, Ubuntu adopts sudo-rs, LlamaFirewall

Author

Kyle Kelly
May 14, 2025

Hello, and Happy Monday!

I did some vibe research over the weekend because I was interested in vulnerability coverage for the most used software packages. I ended up taking the top 10,000 npm packages (by downloads) and cross-referenced with osv.dev’s npm vulnerability data.

Of the 10,000 only 421 (4.21%) have disclosed one or more vulnerabilities aggregated by Google’s osv. More than half of these have only ever had one vulnerability reported. Check out the GitHub repo for more details.

For the record, I’m not bashing the open source community here. Not long ago, this would’ve been nearly 0%. My initial motivation was to point out that folks drowning in SCA alerts are really only struggling with the tip of the iceberg. Highlighting the importance of further improving open source vulnerability disclosure data and SCA tooling.

Newsletter

👋 Side note: I know we often complain about the public sector, or at least I do 😆, but it’s pretty cool that our community has a real voice. This past week CISA announced that the KEV RSS Feed would be decommissioned. Following the community’s response, CISA issued an update:

“Update May 13: In an effort to enhance user experience and highlight the most timely and actionable information for cyber defenders, CISA announced a shift in how we share cybersecurity alerts and advisories. We recognize this has caused some confusion in the cyber community. As such, we have paused immediate changes while we re-assess the best approach to sharing with our stakeholders.” CISA

Announcing Kyverno Release 1.14: ValidatingPolicy and ImageValidatingPolicy
Kyverno introduces specialized policy types; ValidatingPolicy centralizes validation rules into a dedicated resource type, while ImageValidatingPolicy exclusively focuses on container image verification (including signatures, SBOMs, attestations, and other artifacts).

Backdoor found in popular ecommerce components
The Sansec Forensics Team identified 21 applications affected by an identical backdoor injected six years ago, but was only recently triggered in one of their customer’s environments. Sansec estimates 500 to 1,000 ecommerce stores are running the backdoored software owned by three vendors: Tigren, Meetanshi, and MGS.

Renovate: Could you please bump that version?
Renovate has introduced generic version bumping, which enables bumping semantic versions in files or version fields that Renovate does not natively support. Sebastian Poxhofer highlights this feature in his blog, showcasing it’s usefulness for managing versions in helm charts.

XBOW: Agentic AI reaches Highest Rank on HackerOne Leaderboard
For a short while, XBOW was the highest rank on HackerOne’s Vulnerability Disclosure Program (VDP) leaderboard for Apr-June 2025.

👋 Fifty-five HackerOne bug submissions have been confirmed as valid. No, it’s not perfect, in fact more than that have been rejected. But still, I strongly believe that offensive security AI is going to raise the bar for security. Keep up with the AIxCC (DARPA’s AI Cyber Challenge) if you’re interested!

Adopting sudo-rs By Default in Ubuntu 25.10
Canonical/Ubuntu makes a major statement by introducing sudo-rs in the default Ubuntu 25.10 image. So long as testing goes well, they also plan to ship it in Ubuntu 26.04 LTS.

👋 I feel like the bigger security risk with sudo are all the niche features they’ve introduced; which they don’t plan to replicate in sudo-rs, so that’s good. I personally don’t care what language these utils are written in so long as they work. Albeit I’ll be pretty annoyed if we end up having to append -rs to every command.

LlamaFirewall: The framework to detect and mitigate AI centric security risks
Meta has released an open source framework designed to secure LLM-powered applications by mitigating risks such as prompt injection, agent misalignment, and insecure code risks (via guardrails). 👋 A more in-depth paper can be found here.

Until Next Time! 👋

Hey, you made it to the bottom – thanks for sticking around!

Questions, ideas, or want to chat? Slide into my inbox! 💌

Don’t hesitate to forward if someone could benefit from this.

See you next Monday!
-Kyle

P.S. CramHacks has a Supporter tier! You can upgrade here to support CramHacks and its free weekly content 😃.