Welcome to the JFrog Blog

Latest:

Shai-Hulud npm supply chain attack – new compromised packages detected

September 16, 2025 Andrey Polkovnichenko, JFrog Security Researcher

9 min read

IMPORTANT UPDATE:  Shai-Hulud Returns  (Nov 24, 2025) JFrog continues to track, provide research and document another wave of the Shai-Hulud Software Supply Chain Attack. Following the initial campaign, threat actors have returned with more advanced tactics, compromising an additional 796 new malicious packages across leading public registries. This new wave exhibits several key differences from…

Read More

All Blogs

Securing Vibe Coding: JFrog Introduces AI-Generated Code Validation

Securing Vibe Coding: JFrog Introduces AI-Generated Code Validation

November 13, 2025 Jacqueline Basil, JFrog Product Marketing Manager, Security | 5 min read

A fundamental shift in software development is already here. Gartner predicts that by 2028, 75% of enterprise software engineers will use AI code assistants - a massive leap from less than 10% in early 2023. While this AI-driven speed creates a competitive advantage, it also opens a dangerous new front in the battle for software…
Read More
The Security Imperative: Trust, Speed, and Integral Defense

The Security Imperative: Trust, Speed, and Integral Defense

November 11, 2025 The JFrog Team | 10 min read

The systemic nature of software supply chain attacks is growing more complex, creating a critical tension between speed and security. The Israeli National Cyber Directorate’s (INCD) recent "Breaking the Chain" report validates that the most significant threats live outside your first-party code, highlighting a crisis of trust in the open-source-software (OSS) supply chain. While the…
Read More
Critical RCE Vulnerability CVE-2025-11953 Puts React Native Developers at Risk

Critical RCE Vulnerability CVE-2025-11953 Puts React Native Developers at Risk

November 4, 2025 Or Peles, JFrog Senior Security Researcher | 12 min read

The JFrog Security Research team recently discovered and disclosed CVE-2025-11953 - a critical (CVSS 9.8) security vulnerability affecting the extremely popular @react-native-community/cli NPM package that has approximately 2M weekly downloads. The vulnerability allows remote unauthenticated attackers to easily trigger arbitrary OS command execution on the machine running react-native-community/cli’s development server, posing a significant risk to…
Read More
JFrog & GitHub: Unifying the Software Supply Chain, One Step at a Time… and Our 2025 GitHub Technology Partner Award

JFrog & GitHub: Unifying the Software Supply Chain, One Step at a Time… and Our 2025 GitHub Technology Partner Award

October 28, 2025 Paul Garden, JFrog Partner and Industry Solutions | 6 min read

Organizations increasingly demand platforms that not only accelerate software delivery but also provide trust, security, and traceability. At JFrog, the software supply chain is managed and secured by default, from commit to runtime. That’s why our deep integration with GitHub is central to how we help teams manage, monitor, and secure every step of software…
Read More
CVE-2025-6515 Prompt Hijacking Attack – How Session Hijacking Affects MCP Ecosystems

CVE-2025-6515 Prompt Hijacking Attack – How Session Hijacking Affects MCP Ecosystems

October 21, 2025 Ori Hollander, JFrog Security Researcher Ofri Ouzan, JFrog Security Researcher | 10 min read

JFrog Security Research recently discovered and disclosed multiple CVEs in oatpp-mcp - the Oat++ framework’s implementation of Anthropic’s Model Context Protocol (MCP) standard. Among these, CVE-2025-6515 stood out due to its potential threat of hijacking MCP session IDs. Within the context of MCP we’ve dubbed this new attack technique "Prompt Hijacking". Your browser does not…
Read More
JFrog AppTrust: A Technical Deep Dive into Building a Trusted Software Supply Chain

JFrog AppTrust: A Technical Deep Dive into Building a Trusted Software Supply Chain

October 16, 2025 Jacqueline Basil, JFrog Product Marketing Manager, Security | 7 min read

Software supply chains have grown more complex as software delivery accelerates across more teams, technologies and environments. While the pace of releases continues to increase, the ability to manage these releases has not accelerated correspondingly. Developers and development operations are now firmly in the spotlight, as new regulations demand clear, auditable proof that every stage…
Read More
Don’t Guess What to Scan: Runtime Scope Ensures Full Production Coverage

Don’t Guess What to Scan: Runtime Scope Ensures Full Production Coverage

October 15, 2025 Ariel Antoni, JFrog Senior Product Manager | 5 min read

Are you confident that you’re scanning for security vulnerabilities on all your software running in production? If this question makes you uncomfortable don’t worry. First, you’re not alone. Second - keep reading. Almost all security teams today face a massive challenge: they’re drowning in data but lack direction. They have an overwhelming amount of code…
Read More
Shifting Security ‘Lefter’ Than Left Is The Key To Avoiding Risky Packages

Shifting Security ‘Lefter’ Than Left Is The Key To Avoiding Risky Packages

September 19, 2025 Asaf Karas, JFrog CTO & SVP Security | 4 min read

As the AI revolution accelerates, developers are being inundated with a dazzling array of new software packages and game-changing tools such as GitHub CoPilot, Sourcegraph, Qodo, Cursor, Goose, and others that promise incredible advances in productivity and impact. The excitement over this is high and just keeps on growing. Cyberattackers share equally in this excitement;…
Read More
From Silos to Synergy: Unifying Your Security Tools for a Stronger More Resilient Software Supply Chain

From Silos to Synergy: Unifying Your Security Tools for a Stronger More Resilient Software Supply Chain

October 1, 2025 Paul Davis, Field CISO | 4 min read

In the race to secure today’s ever-expanding attack surface, many companies have made a  practice of using a mix of tools to monitor, assess, and remediate threats. This practice has resulted in a fragmented and chaotic landscape of security solutions across several teams, increasing complexity and forcing companies to have a reactive vs. proactive security…
Read More
Chaotic Deputy: Critical vulnerabilities in Chaos Mesh lead to Kubernetes cluster takeover

Chaotic Deputy: Critical vulnerabilities in Chaos Mesh lead to Kubernetes cluster takeover

September 16, 2025 Natan Nehorai, JFrog Application Security Researcher | 11 min read

JFrog Security Research recently discovered and disclosed multiple CVEs in the highly popular Chaos engineering platform - Chaos-Mesh. The discovered CVEs, which we’ve named Chaotic Deputy are CVE-2025-59358, CVE-2025-59360, CVE-2025-59361 and CVE-2025-59359. The last three Chaotic Deputy CVEs are critical severity (CVSS 9.8) vulnerabilities which can be easily exploited by in-cluster attackers to run arbitrary…
Read More

Popular Tags