Charity

• A standing jar of a friend of mine: https://send.monobank.ua/jar/AYR2HGkbxg

• A jar for rehabilitation of a Ukrainian soldier, who got serious injuries on the front lines: https://send.monobank.ua/jar/5AmpbpVRxm

Time Sensitive

• Linux: The Good Stuff by No Starch Press - a book bundle with some incredibly good books about Linux on Humble Bundle. It’s available for 16 more days.

Digest

• Trivy Compromised: Everything You Need to Know about the Latest Supply Chain Attack - a report from Wiz about the supply chain attack on Trivy by TeamPCP, which likely caused a chain-reaction due to the number of leaked credentials.

• How a Typosquatted Domain and a Fake Version Tag Turned Trivy Into a Credential Stealer - another write-up on the aforementioned attack with some details of how it was done.

• Announcing Ingress2Gateway 1.0: Your Path to Gateway API - a tool from Kubernetes’ SIG Network that is aimed to help people to migrate from the deprecated NGINX Ingress to the new Gateway API.

• Updates to GitHub Copilot interaction data usage policy - you have to explicitly opt out in GitHub’s privacy settings, if you don’t want your code to be used to train Copilot models.

• axios Compromised on npm - Malicious Versions Drop Remote Access Trojan - another supply chain attack on a tremendously popular HTTP client for Node.js.

• Unpatchable Vulnerabilities of Kubernetes: CVE-2020-8561 - a CVE that allows server-side request forgery (SSRF) type of attack. Although, this one is not so exploitable, if you have networking and access control best practices in place.

Share

That’s it for today, I wish I had some better news, but it’s mostly supply chain attacks. In any case, happy holidays for those who celebrate this weekend!