Shachar Menashe

JFrog Senior Director Security Research

Shachar has more than 15 years of experience in security research & engineering, including low-level R&D, reverse engineering and vulnerability research. He currently leads the security research division in JFrog, specializing in automated vulnerability research techniques. Before joining Vdoo and JFrog, Shachar was responsible for building the low-level security of Magic Leap’s custom OS. Shachar holds a BSc in Electronics Engineering and Computer Science from Tel-Aviv University.

The Latest From Shachar Menashe

  • Binary secret scanning helped us prevent (what might have been) the worst supply chain attack you can imagine

    | 8 min read

    The JFrog Security Research team has recently discovered and reported a leaked access token with administrator access to Python’s, PyPI’s and Python Software Foundation’s GitHub repositories, which was leaked in a public Docker container hosted on Docker Hub. As a community service, the JFrog Security Research team continuously scans public repositories such as Docker Hub,…

    Read More  
  • JFrog Security research discovers coordinated attacks on Docker Hub that planted millions of malicious repositories

    | 19 min read

    As key parts of the software ecosystem, and as partners, JFrog and Docker are working together to strengthen the software ecosystem. Part of this effort by JFrog's security research team involves continuous monitoring of open-source software registries in order to proactively identify and address potential malware and vulnerability threats. In former publications, we have discussed…

    Read More  
  • CVE-2024-3094 XZ Backdoor: All you need to know

    | 14 min read

    Update April 1st - Updated "What is the malicious payload of CVE-2024-3094?" due to newly released OSS tools Update April 7th - Updated "What is the malicious payload of CVE-2024-3094?" due to more published payload research   On March 29th, it was reported that malicious code enabling unauthorized remote SSH access has been detected within…

    Read More  
  • Watch out for DoS when using Rust’s popular Hyper package

    | 5 min read

    The JFrog Security Research team is constantly looking for new and previously unknown vulnerabilities and security issues in popular open-source projects to help improve their security posture and defend the wider software supply chain. As part of this effort, we recently discovered and disclosed multiple vulnerabilities in popular Rust projects such as Axum, Salvo and…

    Read More  
  • Latest LastPass security breach highlights developers as a high-value target

    | 5 min read

    Last August, the maintainers of the LastPass cloud-based password manager tool reported a security breach in their servers. The disclosure maintained that an unauthorized party gained access to the LastPass development environment through a single compromised developer account. However - while source code and technical information was stolen, no user data was compromised and no…

    Read More  
  • Turns out 78% of reported common CVEs on top DockerHub images are not really exploitable

    | 15 min read

    Research motivations Similarly to our previous research on “Secrets Detection,” during the development and testing of JFrog Xray’s new “Contextual Analysis” feature, we wanted to test our detection in a large-scale real-world use case, both for eliminating bugs and testing the real-world viability of our current solution. However, unlike the surprising results we got in our…

    Read More