I have yet to talk much about it, but earlier this year I started an open-source project named malcontent that detects precisely this kind of attack: malicious changes in open-source software. This is very relevant to my day job at Chainguard.
malcontent summarizes the risks and capabilities of a file and alerts when a new version substantially changes those risks and capabilities. It's easier to show you with a screenshot:
In a nutshell: mal diff calculated that the risk of file went from MEDIUM to CRITICAL between two revisions. In doing so, it surfaced a number of new behaviors that would catch the eye of a code reviewer. The idea here is that no tool will be able to give you a 100% reliable answer to “Is it malicious or not?” but as a code reviewer, you have the context of what functionality changes are reasonable to you for the library you are consuming.
malcontent works on any file you might encounter in open source, from shell scripts to Linux ELF binaries to macOS machO binaries and PHP. While we’ve incorporated over 15,000 YARA rules, we're far from the same quality level as VirusTotal; so if you are handy in YARA or Go or would like to learn more about them, PRs are welcome!
PS – malcontent can also be used as a basic malware scanner – but it isn’t yet as impressive as the “diff” mode: mal scan /path
This weekend, I took my funky electric BMW CE 04 camping at the edge of the Uwharrie Mountains for 3 days, covering 170 miles (270km). The trip was a breeze, so skip this post if you are looking for drama.
At my current employer, nation-state actors are part of our threat model. So, I get a little excited when someone posts malware that is tied to one of the big-4 (China, North Korea, Russia, United States of America). Last week, Elastic Security Labs posted an article titled DPRK passing out KANDYKORN outlining the latest macOS malware discovery from North Korea, and this week a sample appeared in the Objective-See Malware collection for inspection.
I threw our YARA queries at Kandy Korn, and found that 2 of the 3 binaries were identified as suspicious:
Earlier this week, I stumbled into Cado's report on Qubitstrike, an attack on publicly accessible Jupyter notebook installations. Unlike most security reports, the hosted malware files were still available, which meant I could analyze and validate our defenses against it. Normally, I don't get this opportunity to study emerging threats, as I'm not paying the $20,000/yr paywall fee for access to Google's VirusTotal service that most researchers seem to rely on.
With 4,700 miles (7500km) and 9 months under my belt, it's time for my long-term review of the BMW CE 04.
Introduction
In 2022, BMW released the CE 04: a futuristic-looking spaceship in a sea of boring two-wheeled EVs. It made quite a splash, with BMW selling nearly 5000 in the first year. While European sales were strong, I estimate that only about 250 were sold in the USA during 2022. I may, in fact be the only CE 04 owner in North Carolina.
Today is homeward bound: a final 204 miles through Central North Carolina. There are a couple of locations of historical interest that I have plans to stop by: The Trading Ford, Sapona, and the Keyauwee village. I'm not keeping my hopes up too high, though, as the exact locations of each are murky and possibly on private property.
Today is the day of the twisties that I've been dreaming about, with roughly 180 miles of riding through the Blue Ridge Mountains ahead on my trusty BMW CE-04.
Breakfast at the Carrier House Bed & Breakfast was incredible: a creamy parfait, a savory souflée, and excellent coffee. I regret not exploring Rutherfordton, as it's one of the oldest towns in North Carolina (1787). It was also named after a general who inflicted considerable damage on the nearby Cherokee tribes in the Cherokee–American wars.
Today began like most days do not: up at 5 am, staring at a scooter in the pouring rain, wondering if this trip was a good idea. Most adventures aren't, but that hasn't stopped anyone before.
My favorite personal fault is that when I commit to doing something, I do it regardless if it makes sense or not. Accordingly, I pressed the button to bring the BMW CE-04 to life as thunder reverberated across my recently adopted hometown of Chapel Hill, NC.
Today’s goals were the Town Creek Indian Site, lunch with a friend, and a quaint bed and breakfast in Rutherfordton, NC – some 200 miles direct – but the straightest routes in life are always the dullest.
Today I packed up the BMW CE-04 and did a range test to see how far I could get on North Carolina rural highways with everything: 62 miles, just as expected. What I packed is a bit different than what I would have packed had I been doing a ride on my GS's of yore:
In 42 hours’ time, I'm embarking on a 3-day journey through the center of North Carolina, focusing on places that were important to the Native Americans of this area:
My weapon of choice is the BMW CE-04 – an electric two-wheeler, which is why you see charging stops scattered around every 45-60 miles: