CramHacks Chronicles #90: Weekly Cybersecurity Newsletter!

Hello, and Happy Monday!

Time to start planning for DEF CON! Excited to be giving a talk at AppSec Village covering the current state of open source package vulnerabilities, ongoing efforts to improve coverage, and the challenges + shortcomings of today’s programs.

Newsletter

How We Could’ve Taken Over Every Developer Using a VSCode Fork
Koi Security researcher Oren Yomtov discloses how he compromised the entire Open VSX extensions marketplace. In short, the marketplace leverages a GitHub Actions Workflow to build and publish all extensions on a nightly basis. Because these steps were not isolated, malicious npm build scripts would have access to the secret used for publishing extensions 👀. Koi Security abused exactly this, and successfully exfiltrated the secret, a super-admin credential.

👋 “Open-VSX is a vendor-neutral open-source alternative to the Visual Studio Marketplace.” I feel like this incident has gone somewhat under the radar, maybe because people are less familiar with Open-VSX. But it’s now used by editors such as Cursor and Windsurf.

GitHub Advisory Database by the numbers
Straight from the source, GitHub Security Analyst Jonathan Evans analyzes trends in the Advisory Database such as its growth, advisory sources, and ecosystem coverage. The blog also offers insights into GitHub’s CVE contributions as the 5th largest CNA, contributing to more than 2,000 CVEs in 2024.

👋 Jonathan included a table for ecosystem coverage which breaks up total advisories and affected packages; this is where I personally have a lot of concerns. For instance, Maven has 5171 total advisories, but those only relate to 955 unique packages. Similarly for Python, only 1044 unique packages have one or more advisories. Developers are drowning in security alerts when we’ve only barely scratched the surface of open source package vulnerabilities. Almost no one cares to improve this.

How I Scanned all of GitHub’s “Oops Commits” for Leaked Secrets
Another interesting use case for the public GitHub Event Log. People often attempt to delete commits containing secrets and leverage force-pushes to cover up the git history; but if you have the commit hash you can still access the commit. So Sharon Brizinov scanned every force push event since 2020 and uncovered lots of secrets.

👋 The gh archive project maintains snapshots of GitHub Event Logs.

OpenSSF Community Day - Japan

Presentations have been uploaded to OpenSSF’s YouTube channel. Here are my notes for a few of the talks!

What Is This Package Even Doing? Analyzing Behaviors of Our Software Dependencies - Isaac Dawson

Isaac breaks down the GitLab Open Source Package Research (OSSPR) project and how they analyze behaviors of open source packages at scale.

• The output of tools are tagged the same as the package version and pushed to a repo, using git versioning made the most sense given most of a package’s code remains intact between versions.

• The tool libbehave leverages +130 semgrep rules per language and is looking for suspicious network requests, code execution, serialization, what frameworks are being used, and more.

• Analysis was completed for 7,245 unique packages with 930,990 total version combinations.

  • 50% of packages leverage some form of Code/OS Execution

I’m a big fan of behavioral analysis for software packages, however Isaac proved just how difficult this can be. With Isaac’s tooling, there were nearly 140 Million findings for the 7,245 packages.

The Migration To Post-Quantum Cryptography: Open-Source Innovations and Interoperability - Tony Chen

Tony recaps post-quantum cryptography (PQC) and the expected timeline. This includes ML-DSA, ML-KEM (and HQC as the declared backup algorithm), and SLH-DSA. As for timelines, NIST is leading the discussion and has declared 2030 as the target year for deprecation of RSA/ECC. Australia has also announced 2030, but for RSA, SHA-256, ECDSA, and ECDH. The UK is targeting 2035 for full migration to PQC.

Keyfactor maintains a list for completed and planned tests for interoperability & future-ready cryptography.

Tony then demos using OpenSSL to generate a ML-DSA CSR, issuing a certificate using an EST endpoint, and verifying the certificate using OpenSSL. The demo furthers into signing and verifying of a file.

True Security: Unforgeable Baseline Compliance - Adolfo García Veytia, Carabiner Systems

Puerco discusses the OSPS Baseline which is made up of ~45 controls and are intended to be realistic for even solo maintainers. The next challenge is generating a claim that states the project satisfies the baseline controls. Puerco proposes leveraging the In-Toto attestation framework and the Sigstore transparency log to generate unforgeable OSPS Baseline compliance through attested evidence.

As shown, this can be done via generating SLSA source attestations, vulnerability scan result attestations, SBOM attestations, security insights attestations, etc. for commits. Finally a SLSA build attestation can be generated; this will contain the commit for building the artifact, which can be used to link to the other attestations generated.

Puerco is working on a project, ampel, “a lightweight supply chain policy engine designed to be embedded across the software development lifecycle to make sure that source code, tools and the build environment can be trusted by verifying unforgeable metadata captured in signed attestations.” 👀 

The future is full of attestations! 🙏 

Until Next Time! 👋

Hey, you made it to the bottom – thanks for sticking around!

Questions, ideas, or want to chat? Slide into my inbox! 💌

Don’t hesitate to forward if someone could benefit from this.

See you next Monday!
-Kyle

P.S. CramHacks has a Supporter tier! You can upgrade here to support CramHacks and its free weekly content 😃.