CramHacks Chronicles #91: Weekly Cybersecurity Newsletter!

Hello, and Happy Monday!

My brain has grown 10x in these past few weeks. I love learning through reading, but it simply can’t replace hands-on-keyboard time. Lately I’ve been doing exactly that; leveling up my understanding of observability, databases, kubernetes, and more. I used to dread spending countless hours on a dumb bug, but with time I’ve come to recognize how much I’ve learned from each of those moments.

Thank you Socket for sponsoring CramHacks! They’ve long been a market leader in my eyes in regard to detecting malicious packages. My suspicion is that the same can be said for their vulnerability detection and prioritization; especially given their recent Coana acquisition.

Newsletter

GitHub is launching Immutable Releases in private preview
The Package Security team is getting ready to ship Immutable Releases in private preview later this month. Both the tag and the release itself will be protected via this repository and/or org-level setting. Each immutable release will also include an auto-generated in-toto release attestation signed by GitHub and verifiable via GH CLI.

👋 I joined GitHub for the simple fact that one small feature can have an unfathomable impact on software supply chain security. Immutable Releases was well underway by the time I joined, but it brings me so much fulfillment to play a (very small) role in shipping this to users.

Investigate your dependencies with Deptective
Trail of Bits has released an open-source tool for running software when dependencies when you have no idea what shared libraries it needs. It does this by tracing the program, identifying errors, searching the Linux distribution’s index to find packages containing the desired files, and installing them. The cycle then repeats and backtracks if needed. GitHub Repo

Cloudflare Just Changed How AI Crawlers Scrape the Internet-at-Large; Permission-Based Approach Makes Way for A New Business Model
As of July 1st, Cloudflare has introduced a permission-based approach allowing customers to dictate which AI bots are authorized to crawl their site, with the option to monetize the authorization. Cloudflare is also working to better identify and authenticate the identity of bots, while categorizing them based on behavior (e.g., used for training, inference, or search).

👋 This is the most excitement I’ve seen from Cloudflare in ages. Especially with their recent launch of containers in Cloudflare Workers. They’re seemingly positioning themselves really well to be an AI powerhouse for the internet. But maybe I’m being brainwashed by marketing hype 🤫.

Data about all known supply-chain attacks through history
Thomas Strömberg has shared the data behind his CackalackyCon talk which contains details in YAML for 59 OSS incidents and 45 proprietary software incidents. The data identifies malware injection points and determined that less than 22% of incidents compromised the actual source code of the project.

👋 Thomas previously worked at Chainguard, and I suspect this research played a role in motivating them to begin building OSS packages from source. Thomas is also building a startup and is sharing regular content about the journey on LinkedIn!

The road to Top 1: How XBOW did it
👋 I think XBOW is doing great work, but I also think them temporarily being #1 on the HackerOne leaderboard is not as huge as people are making it out to be. They’ve raised nearly $120M in the last year; if you’re using HackerOne leaderboards to measure success, you better damn be number 1.

A different takeaway. . . They submitted >1,000 bugs in Q1 2025, 208 were marked as duplicates and 209 as informative. Assuming these are all legitimate vulnerabilities, imagine how frustrating this would be if they were manually found and reported 🫠.

Attackers Love Your YAML: Static Kubernetes Security Analysis for DevSecOps
Rushikesh Patil details common dangerous misconfigurations, real-world incidents, and suggests some prominent security linters for kubernetes manifest scanning.

👋 I’ve been getting in kubernetes lately and I was amazed by how quickly I could be dangerous with using it. That said, best practices aren’t abundantly obvious, and I suspect the average non-k8s expert is highly likely to introduce unnecessary risk.

Belgium is unsafe for CVD & Belgian CVD is deeply broken
Floor Terra & Piet De Vaere each published a blog post about their experience and concerns with how Belgian handles CVD (Coordinated vulnerability disclosure). It’s worth a read, but the tl;dr is that vulnerability disclosure per Belgian law mandates disclosure within 24 hours and lifelong secrecy of the issue. The disclosure also requires providing an official government identity document.

👋 In Piet’s blog, you really get a sense for how the Centre for Cybersecurity Belgium (CCB) handles these disclosures. There’ve been multiple reports of the CCB threatening legal action during responsible disclosures 🤔.

UN Open Source Week 2025

8+ hours of discussion during UN Open Source Week. If you’re into that kind of stuff, this is for you 🫡. I hope to listen to it throughout the upcoming week.

Digital Public Infrastructure Day (DPI Day), part 1

Digital Public Infrastructure Day (DPI Day), part 2

Open Source Programme Offices (OSPOs) for Good, part 1

Open Source Programme Offices (OSPOs) for Good, part 2

Until Next Time! 👋

Hey, you made it to the bottom – thanks for sticking around!

Questions, ideas, or want to chat? Slide into my inbox! 💌

Don’t hesitate to forward if someone could benefit from this.

See you next Monday!
-Kyle

P.S. CramHacks has a Supporter tier! You can upgrade here to support CramHacks and its free weekly content 😃.