Welcome to the JFrog Blog

Latest:

Shai-Hulud npm supply chain attack – new compromised packages detected

September 16, 2025 Andrey Polkovnichenko, JFrog Security Researcher

6 min read

Recently, the npm ecosystem has faced its third large-scale attack. Following the recent compromise of the nx packages  and another wave targeting popular packages, the registry has once again been attacked.   The first report came from Daniel Pereira, who identified a compromised package: @ctrl/tinycolor@4.1.1. By the end of the day, JFrog’s malware scanners had…

Read More

All Blogs

Chaotic Deputy: Critical vulnerabilities in Chaos Mesh lead to Kubernetes cluster takeover

Chaotic Deputy: Critical vulnerabilities in Chaos Mesh lead to Kubernetes cluster takeover

September 16, 2025 Natan Nehorai, JFrog Application Security Researcher | 11 min read

JFrog Security Research recently discovered and disclosed multiple CVEs in the highly popular Chaos engineering platform - Chaos-Mesh. The discovered CVEs, which we’ve named Chaotic Deputy are CVE-2025-59358, CVE-2025-59360, CVE-2025-59361 and CVE-2025-59359. The last three Chaotic Deputy CVEs are critical severity (CVSS 9.8) vulnerabilities which can be easily exploited by in-cluster attackers to run arbitrary…
Read More
The AI/ML Regulatory Landscape and How to Stay Ahead

The AI/ML Regulatory Landscape and How to Stay Ahead

September 11, 2025 Paul Davis, Field CISO | 5 min read

The entire world of technology is abuzz about AI/ML. It’s arguably the most disruptive technology to society since the smartphone. In fact, Gartner estimates that the number of companies using open-source AI directly will increase tenfold by 2027. While this rapid advance is fueling quantum leaps in innovation, it also ignites increasing scrutiny from regulatory…
Read More
JFrog and GitHub: Next-Level DevSecOps

JFrog and GitHub: Next-Level DevSecOps

September 10, 2025 Paul Garden, JFrog Partner and Industry Solutions | 6 min read

Most DevSecOps pipelines have a gap: source code security and binary security are handled in separate silos. This creates blind spots, slows teams down, and increases risk. At swampUP 2025, we’re unveiling the next evolution of the JFrog and GitHub integration, a deeply integrated DevSecOps experience that unifies best-of-breed code and binary platforms. With JFrog…
Read More
Stop the Chaos: How to Centralize, Secure, and Control Developer Extensions

Stop the Chaos: How to Centralize, Secure, and Control Developer Extensions

September 10, 2025 Achinoam Katsoff-Sitton, JFrog Product Marketing Manager, DevOps | 4 min read

Picture this: A new developer joins your team, excited to start contributing. On day one, they spend hours installing and configuring their IDE, searching for the "right" extensions. Their setup ends up being completely different from everyone else's. Sound familiar? Worse yet, what if that "productivity-boosting" extension or new MCP server they just installed also…
Read More
Announcing JFrog AppTrust: Building Unshakeable Trust in Every Application You Deliver

Announcing JFrog AppTrust: Building Unshakeable Trust in Every Application You Deliver

September 9, 2025 Eyal Dyment, JFrog VP Security | 7 min read

The pressure to deliver applications quickly has created a complex software supply chain that is vulnerable to more  threats than ever before. New regulations are shifting the liability to software developers, demanding auditable proof of security across the entire product lifecycle. Caught between velocity and complexity, the critical question is this: Can you truly vouch…
Read More
Agentic Software Supply Chain Security: AI-Assisted Curation and Remediation

Agentic Software Supply Chain Security: AI-Assisted Curation and Remediation

September 9, 2025 Paul Garden, JFrog Partner and Industry Solutions | 7 min read

Software supply chains are the #1 attack vector for cybercriminals, and the challenge isn’t just finding vulnerabilities; it’s fixing them fast while ensuring security, compliance, and developer productivity. As supply chains grow in complexity, traditional tools aren’t enough; organizations need intelligent, autonomous assistance embedded directly into developer workflows. We are pleased to announce that JFrog…
Read More
Using JFrog to Align Your Systems for ISO 27001 Compliance

Using JFrog to Align Your Systems for ISO 27001 Compliance

August 28, 2025 Paul Davis, Field CISO | 8 min read

ISO/IEC 27001 is an information security standard that is quickly becoming a must-have for any organization that handles proprietary customer data. ISO 27001 certification is now often a requirement to do business, particularly for IT and SaaS organizations - JFrog included! In this blog, you’ll learn more about ISO 27001, how to get certified, and…
Read More
New Invisible Attack Creates Parallel Poisoned Web Only for AI Agents

New Invisible Attack Creates Parallel Poisoned Web Only for AI Agents

September 4, 2025 Shaked Zychlinski, JFrog AI Architect | 7 min read

AI agents are rapidly evolving from simple text generators into powerful autonomous assistants that can browse the web, book travel, and extract complex data on our behalf. This new "agentic" AI, which operates in a "sense-plan-act" loop, promises to revolutionize how we interact with the digital world. But as we grant these agents more autonomy…
Read More
8 Malicious npm Packages Deliver Multi-Layered Chrome Browser Information Stealer

8 Malicious npm Packages Deliver Multi-Layered Chrome Browser Information Stealer

August 27, 2025 Guy Korolevski, JFrog Security Researcher | 7 min read

Open-source software repositories have become one of the main entry points for attackers as part of supply chain attacks, with growing waves using typosquatting and masquerading, pretending to be legitimate. The JFrog Security Research team regularly monitors open-source software repositories using advanced automated tools, in order to detect malicious packages. In cases of potential software…
Read More

Popular Tags