CramHacks Chronicles #84: Weekly Cybersecurity Newsletter!

Hello, and Happy Monday!

There’s a lot going on 😮‍💨. But I had a pretty great week nonetheless, we spent lots of time with our puppy Nalu and have been going to the beach almost every day.

I’ve also been learning . . . Ruby on Rails? And . . . kind of liking it? I wasn’t expecting that given my past frustrations trying to review vulnerabilities in popular gems.

Newsletter

Microsoft SBOM Tool: SPDX 3.0 Support
As of sbom-tool v4.0.2, users can now specify the -mi:SPDX3.0 cli parameter to generate or validate SBOM’s (Software Bill of Materials) using the SPDX 3.0 spec. The tool will continue to use SPDX 2.2 by default.

Comparison of GitHub Action Scanners
Fabian Kammel published his comparison of GitHub Action Scanners: Zizmor, Poutine, Octoscan, and Snyk’s GitHub Action Scanner.

curl: Detecting malicious Unicode
Daniel Stenberg shares how curl contributor James Fuller submitted a pull-request to the project containing a unicode character that resembled its ASCII counterpart; this was for educational purposes. No human reviewer or CI job spotted the replaced character.

👋 A few weeks ago, GitHub released warnings for hidden Unicode text. However, that doesn’t help here given the character wasn’t hidden. Per the blog, “GitHub has told me they have raised this as a security issue internally and they are working on a fix.”

boostsecurity.io: Package Threat Hunter
👋 François Proulx gave a great talk at NorthSec 2025 discussing CI/CD pipeline vulnerabilities (e.g., GitHub workflows). But he also discusses a hack week project “Package Threat Hunter” that ingests the firehose of GitHub Public events in “real-time” and leverages these event details to catch build pipeline exploits. 👏

Go Cryptography Security Audit
Google contracted Trail of Bits to perform this audit: the results were 1 low-severity and 5 informational findings.

When Open Source Isn’t: How OpenRewrite Lost Its Way
Jonathan Leitschuh publicizes how Moderne silently changed OpenRewrite’s license from Apache 2.0 to Moderne Proprietary License (MPL) while highlighting the community (and his own) prior contributions that now fall under a proprietary license.

👋 This ofc isn’t the first time something like this has happened, but I’m completely shocked that there was seemingly no communication from Moderne about this change. Not good.

MCP Security Checklist: A Security Guide for the AI Tool Ecosystem
👋 SlowMist_Team released what appears (at first glance) to be a very well thought out security checklist for MCP-based tools. Per the repository, they use this checklist in their MCP security audits.

Product News

Chainguard Libraries for Python
👋 This was mentioned in last week’s newsletter, but recent LinkedIn discussions highlight some lesser-known details worth noting. Chainguard CEO Dan Lorenc shared:

• PyPI support currently covers ~15K libraries, with a goal of 30K to support 99.9% of downloads from the past year. It's unclear if this is based on Chainguard customer data. 🤔

• Java package support is closer to 30K libraries, but the percentage for 99.9% of downloads varies by ecosystem and wasn't specified for Java.

These Chainguard packages do not necessarily protect against total compromise, such as when both the source code repository and registry maintainer tokens are breached. But, Dan did mention that they are conducting some level of static analysis; so there’s a non-zero chance they will catch it.

However, many recent package compromises have stemmed from the compromise of a registry maintainer token. Chainguard packages can mitigate this risk by effectively removing the registry’s hosted package from the trust chain and rebuilding packages from source. 💡 I’m curious how they handle cases where the built package differs from what is published in the registry. What if only the source repository is compromised and a previous tag is overwritten with malware, making the published package the “safe” option? So many questions! 🤯

Docker Hardened Images: Secure, Minimal, and Ready for Production
“Docker Hardened Images start with a dramatically reduced attack surface, up to 95% smaller, to limit exposure from the outset. Each image is curated and maintained by Docker, kept continuously up to date to ensure near-zero known CVEs. They support widely adopted distros like Alpine and Debian, so teams can integrate them without retooling or compromising compatibility.”

👋 Smart move. My initial reaction was “it’s about time.”

WizOS: Securing Wiz from the ground up with hardened, near-zero-CVE images
👋 I think Wiz has lost its way. From the time I learned about Wiz, they did very few things but did them well with an impeccable user experience. Lately everything seems to be half-baked product launches. No one can seem to find anyone willing to acknowledge or speak about their private-preview experience with WizOS.

Aikido: Changelog Analysis for Dependency Upgrades
Aikido is now leveraging AI to analyze changelogs to identify breaking changes in dependency upgrades. Comments state that they’ll be offering auto-upgrades and introducing code diff analysis w/ reachability in June.

Socket: precomputed reachability
Quick video showcasing Socket reachability in action, from a mobile device in the backseat of a car 😆. This demo shows “precomputed” reachability: “full function-level reachability analysis but performed on the full call graph _excluding) the top-level (i.e. the application code). We assume all exported functions of the direct dependencies are used (since we're not looking at the app code)”

👋 This is so simple, and I feel dumb for not thinking of it, because I think it’s a great idea. Especially given I’ve built what is essentially the same thing, but for research and not product 🤦.

Until Next Time! 👋

Hey, you made it to the bottom – thanks for sticking around!

Questions, ideas, or want to chat? Slide into my inbox! 💌

Don’t hesitate to forward if someone could benefit from this.

See you next Monday!
-Kyle

P.S. CramHacks has a Supporter tier! You can upgrade here to support CramHacks and its free weekly content 😃.