Trusty is a free-to-use web app that provides data and scoring on the supply chain risk for open source packages.
Want to get these updates in your inbox? Subscribe to our free weekly newsletter on Substack!
Also, special thanks to Derek Sullivan for the S3C Weekly logo design.
A selection of the most impactful security breaches or threats in supply chains
Sonarsource discovered a few remote vulnerabilities in Jenkins:
The discovered Critical vulnerability tracked as CVE-2024-23897 allows unauthenticated attackers to read a limited amount of arbitrary files’ data, and "read-only" authorized attackers to an entire arbitrary file from Jenkins’ server.
The discovered High severity, cross-site WebSocket hijacking (CSWSH), vulnerability tracked as CVE-2024-23898, allows an attacker to execute arbitrary CLI commands by manipulating a victim to click on a link.
Fortinet analyzed a number of malicious PyPI packages attributed to the same malware author. The sophistication of the attacks increased over time, targeting both Windows and Linux systems with information stealers and code that targeted cryptocurrency wallets.
Oversecured reported on vulnerabilities in the Java (Maven) ecosystem where attackers could potentially take over abandoned packages by acquiring the associated domain name. According to their research, about 15% of projects may be vulnerable.
The Shadowserver account on Mastodon reports at least 5300 GitLab servers vulnerable to CVE-2023-7028 (patched on Jan 11). The vulnerability allows attackers to takeover accounts via password reset with no user interaction, though it can be blocked by the use of 2FA.
Sonatype uncovered a series of 748 NPM packages containing clips from movies. The packages, which all began with wlwz-
, contained video clips with Mandarin subtitles. The packages have been reported to NPM, which has marked them as malicious.
Targeting much later in the software supply chain, ESET has reported on a group called Blackwood compromising software update mechanisms. The group is distributing an implant via Adversary-in-the-Middle attacks on software update mechanisms for Tencent QQ, Sogou Pinyin, WPS Office, and others. The targeted software update mechanisms all rely on unencrypted HTTP and do not seem to have other signing mechanisms in place.
Mercedes-Benz accidentally exposed their internal GitHub Enterprise Server with an employee's authentication token in a public GitHub repository. The token had unrestricted read access to Mercedes' internal repos, including both intellectual property and design documents as well as connection strings, access keys, SSO passwords, and API keys.
When contacted, Mercedes revoked the API token and removed the public repository.
New open-source and free (as in beer) supply chain security news
Yahoo!’s security team described how they adopted sigstore within their enterprise. Highlights include SPIFFE and mTLS, integrations with Yahoo!’s build system, and keyless signing with Athenz OIDC, as well as a series of documented upstream contributions.
News from key open source security projects and communities, and regulatory updates related to OSS security
Sigstore has started a monthly news update. In this issue, they cover a Cryptographic Agility proposal for sigstore signing algorithms, as well as improvements in Python and Go library support.
Sigstore added support for OIDC identities representing the Eclipse Foundation’s Jenkins instances. The Eclipse Foundation is encouraging implementation of sigstore signing across their projects.
Evan Anderson
Principal Software Engineer