Thirty Three Billion reasons to wait

Sometimes, it's good to wait.

I've been sitting on this newsletter for the last few days, unsure of why I'm not shipping it out. Now I know. To my mind, every edition of this newsletter that I want to post should have a hook. Till Tuesday morning, this particular edition was missing that hook.

We have it now. All Thirty Three Billion Dollars worth. That's how much Google parent company Alphabet is paying for cybersecurity firm Wiz.

We'll talk about that, and more, in today's newsletter - we'll address a python vulnerability that's probably affecting you, a Linux partnership, a bit about ad blocking in your browser, and some hacking news and resources.

First, let's talk about the python vulnerability. Endearingly called "GHSA-wmxh-pxcx-9w24" or CVE-2025-27607, this advisory affects python-json-logger. While this library has only 93 stars on GitHub, PyPI's metrics show that this dependency was installed over 44 Million times in the last month.

The issue came when an optional dev dependency of this package, namely "msgspec-python313-pre", was deleted. This dev dependency is maintained by a completely different developer as a bridge to getting their "msgspec" library working on Python 3.13. Once the official release of "msgspec" (with support for Python 3.13) came out, they went ahead and deleted msgspec-python313-pre from PyPI.

However, just because a package has been removed from the registries, doesn't mean that downstream projects get automatically informed. Further, it means that that package name can be typosquatted by hackers. This created a situation where between 30th December 2024 and 4th March 2025 (when the issue was resolved), python-json-logger (and any other projects using the interim dependency) were vulnerable to remote code execution (RCE) by a hacker, had someone claimed the "msgspec-python313-pre" package name on PyPI.

To be clear, that didn't happen. What did happen is that the researcher who found it reported it successfully against the python-json-logger project via GitHub's security advisory process. The developers of python-json-logger could have just patched up their library and moved on. But they chose to work with the researcher and reclaim the "msgspec-python313-pre" package name, thus securing other open source projects from getting RCE'd at a latter date.

Why this is a big deal -

Over the course of building software, developers put their packages through many iterations. Often, corner cases such as supporting a future release now ends up creating dependencies such as "msgspec-python313-pre" which then get hard coded in projects and can create black holes when the upstream dependency is eventually removed. These black holes are the perfect attack vectors for hackers, because you wouldn't even suspect the dependency of a dependency of being the reason why your environment is suddenly open to attacks. But that's exactly what a software supply chain attack is - hackers looking for any chink in one's armor where they might be able to slip in and attack unsuspecting end users.

Today, the "msgspec-python313-pre" black hole has been plugged by developers looking to do the right thing. But as we've seen in this newsletter in the past, open source developers are constantly harassed for time and energy by their own community as well as demands of end users. Tomorrow there might be a developer who catches this sort of black hole on their own and, rather than fixing it in this two-step process which secures other projects too, might end up simply fixing their own project and moving on.

There's no mitigation against this, but constant vigilance. That is what we must do.

Alright, let's talk about Linux. Specifically, the Linux Foundation. One of the biggest wins of open source as a movement is that no one person owns open source software. That said, there are stewards of large open source projects which coordinate fund-raising, cooperation with enterprises, incubate new projects, and manage existing projects under their auspices. The Linux Foundation currently hosts over 900 projects under it - everything from kernel.org (which distributes the official copies of the Linux kernel) to RISC-V (the open source instruction set architecture) to the Cloud Native Computing Foundation (CNCF, which itself hosts scores of cloud related projects such as Kubernetes, cri-o, and one of my favorites, Cloud Custodian).

Joining the Linux Foundation is the Open Infrastructure Foundation. OpenInfra started out as the OpenStack Foundation, before hosting other projects like Kata containers and Airship (the latter is for declarative lifecycle management of OpenStack on Kubernetes). With OpenInfra coming under Linux Foundation's aegis, the goal is to promote data center modernization and cross-pollination between projects like Kubernetes and PyTorch. I've yet to understand what that translates to. I'll keep a watch and let you know.

But overall, the Linux Foundation is a powerful entity, and adding OpenInfra to its list of member foundations means even more power for Linux to channel resources from enterprises into making Open Source more awesome for the everyday user.

Now let's talk about Google Chrome. Chrome is the defacto browser for most people and most organizations around the world. No matter what Microsoft tries, Internet Explorer (or Edge as it's now called) will forever be used to just download Google Chrome. Except now Chrome has put a fine nail in it's own coffin.

Browser Extensions like uBlock Origin are what make the Internet of today a usable place by blocking ads, tracking scripts, intrusive banners and auto-playing videos. Google's business is basically ads and tracking you. So Google and uBlock were never friends. Google's been looking for a logical way to get rid of uBlock for a very long time.

Now they have it. A while ago, they announced that they're moving extensions to Manifest Version 3. Along with being the way to define what your extension does, a requirements.txt file if you will, Manifest versions are a way for Chromium (the open source browser underlying Google Chrome) to define what browser APIs an extension has access to.

Google's claim is that "Manifest V3 aims to be the first step in our platform vision to improve the privacy, security, and performance of extensions." But one of the core things this new version does is that it removes the ability for extensions to block network requests. It claims that it does this because extensions were essentially proxying all network requests through themselves, which cost privacy and performance.

The other thing Manifest V3 does is that it restricts how many filtering rules an extension can apply to 30,000. uBlock Origin generally ships with over 300,000 rules. This order of magnitude shift means uBlock Lite (which still works in Chrome but is a shadow of the behemoth that uBlock Origin is) can block a lot fewer requests and also is less capable in the changing URLs of advertisers.

All of this means that while Google continues to track what you're doing on the web via Google Chrome, extensions that are meant to protect your privacy and prevent fraud end up not being able to do so.

You can still take steps to save yourselves from ads - start using Firefox, or uBlock Lite. But the safest way perhaps would be to use either an adblocking VPN/DNS service such as NextDNS or to just keep your /etc/hosts file updated with blocking the latest adware domains. I use the MacOS app Gas Mask and the Steven Black consolidated hosts file to block requests Google wants me to see. It's not ideal, but it's something.

Why am I even talking about adblocking?

You'd be wondering that. Aside from a deep seated hatred of ads, I also believe that protecting your privacy is of paramount importance. Ads are a way not just for companies to sell you stuff, but are a threat vector. From Facebook's Cambridge Analytica fun ride to basically every piece of PII that companies have collected and then leaked to hackers over the years, your online identity and wallet are constantly threatened by bad actors. Ads on the Internet may seem like a benign idea - a means of companies to provide free services to millions of users. But they are the conduit for an ever-increasing tracking mechanism. Every one of the ads you see on the open Internet carry with it the JavaScript required to send your data to hundreds if not thousands of companies and how those companies treat your data is the stuff of nightmares.

So do yourself a favor. Block those ads.

Ok, let's talk about some hacking news.

First up, a tool used by the ransomware group "Black Basta" has come to light from chat logs that were leaked in an effort to parry against the group's recently activities. This tool, named BRUTED, is meant to brute force and credential stuff VPNs, firewalls, and other edge nodes in an effort to get into networks.

The details of the tool are in the link, but suffice to say that it's an extremely well built and battle tested tool that can target various services and hardware, including "SonicWall NetExtender, Palo Alto GlobalProtect, Cisco AnyConnect, Fortinet SSL VPN, Citrix NetScaler (Citrix Gateway), Microsoft RDWeb (Remote Desktop Web Access), and WatchGuard SSL VPN."

While doing all this, the tool remains undercover by using a list of proxies, most of which are hosted in Russia.

The most dangerous part of this is not just the sheer number of devices the tool can target, but rather the way it does so. Sure, it's brute forcing passwords. But it's not random. Rather, it's using older, leaked credentials to try to gain entry. This type of attack, known as credential stuffing, is effective because there's always a chance of that one edge device having had its password leaked in the previous years, only to be attacked years later and becoming the weak link in an otherwise strong security apparatus.

Strong passwords, MFA, and regularly checking for leaked passwords for literally every service and device in your IT infra are ways to ensure your organization's safety, but even so, it's important to keep updating your security ideology to include newer methodologies to counter the ever evolving attacks by ransomware groups and other bad actors.

I'm not a security researcher, but it sure is fun for me to look at resources in the space. One such I've come across recently is the Google Hacking Database on Exploit DB. No, it's not a way to attack Google. Rather, it shows you search terms that you can use to find public facing sites and pages that Google has indexed, but which should not have been exposed.

Things like looking for

"BEGIN OPENSSH PRIVATE KEY" site:github.com

and

inurl:/cgi-bin/ "qnap turbo nas"

(to look for public facing qnap NAS devices which could be credential stuffed)

These are fun to look at, and scary, because it just goes to show how much Google has trawled the Internet. While the company does often do good by killed off such results from their indices, it's like playing Whack-a-mole for a company that's very much profit-seeking and thus would be reticent to spend too much time on helping save your private photo archive from hackers.

So while it's a great exercise for security researchers, the lesson for a bystander such as myself (and you) would be to use this information to think of what all services you might be exposing by mistake and lock them down before someone commandeers your devices for a DDOS attack or sneaks into your bitcoin wallet.

Alright, let's get to it. Google recently announced their biggest acquisition ever. Not just for Google Cloud, but for the entire company. They're throwing down $33 Billion for Israeli startup Wiz to bolster their Cloud security offerings.

Google Cloud's revenue dwarfs in comparison to what AWS and Azure pull in, specially in this era of Cloud-based AI training and hosting. So making this bet, which was rejected by the startup just last year at a price point of $23 Billion, seems to be a bold move.

It's not unprecedented though. Just three years ago, Google acquired Mandiant for $5.4 Billion. That company, perhaps most famous for investigating the Solarwinds attack exposed in 2020, boosted Google Cloud's Threat Intelligence and incident response capabilities.

With Wiz, Google intends to dive deeper into the enterprise cloud security space. The startup's main offering is cloud security posture management for all major public clouds as well as Kubernetes deployments. Google has stated that Wiz will continue to be available on the other public clouds, but it is to be expected that their integration with Google Cloud will only deepen over time. This, Google no doubt hopes, will convince enterprises to move to Google Cloud and use its in-house security offerings to trust and secure their cloud infra on GCP in favor of all others.

While it remains to be seen if this acquisition gets approved by the authorities, if and when it does, it'll surely turn a pretty penny for initial investors. Meanwhile, it seems Google is going to pay that thirty third Billion dollars to just retain all the talent of the company post acquisition. At 1,700 employees, that's sure to mint quite a few new millionaires.

An important insight into this acquisition - Wiz is interesting because while still technically a startup, the company has a growth trajectory that's unparalleled. From the TechCrunch article I've linked above -

Wiz is particularly attractive because it’s coming to Google Cloud with an existing, massive business in tow. It is currently on track to double last year’s annual recurring revenue to $1 billion.

This sort of growth, and the sizeable customers that comes with it, is both great and not great. It's great because the company is proving why Google should be paying the largest amount it has ever paid for a company, so it's not coming from a position of weakness to its new parent company. It's not great because invariably, some customers will look to move. Either because they'll see a multi-year leaning towards Google Cloud for Wiz's offerings, and they're not Google Cloud customers, or they will not be interested in getting squeezed as Google seeks to recoup the cost of the acquisition.

The startup will seek to use Google's competitiveness to grow its customer base. But the cost of being aligned with a particular Cloud vendor is that customers will always have a multicloud strategy, and if your offerings do not fit within that strategy, you're at a loss.

That's all for now folks! Keep yourself safe out there on the high internet seas, and keep coming back for more analysis, links, and interesting black holes in cybersecurity.