Welcome to the JFrog Blog

All Blogs

Beyond Tokens SF: Best Ideas of the Evening

Beyond Tokens SF: Best Ideas of the Evening

AI agents are changing how software gets built, but the infrastructure around them hasn't caught up. Agents burn through tokens on noise. They take actions they shouldn't. Context evaporates between releases. And most delivery pipelines were never designed for the pace and volume of agentic development. On June 11th we brought together developers in San…
Where Severity Scores Go Wrong: “Just Add Prototype Pollution”

Where Severity Scores Go Wrong: “Just Add Prototype Pollution”

At JFrog, our Security Research team continuously monitors and analyzes newly disclosed CVEs across the open-source ecosystem. Throughout our research, we have repeatedly observed cases where the assigned severity score does not accurately reflect a vulnerability's real-world impact or exploitability. In fact, during 2025, JFrog researchers reassessed NVD critical-severity vulnerabilities and concluded that 96% warranted…
JFrog Named a Leader in the Inaugural Gartner<sup>®</sup> Magic Quadrant™ for Software Supply Chain Security

JFrog Named a Leader in the Inaugural Gartner® Magic Quadrant™ for Software Supply Chain Security

The recognition is new; the commitment behind it isn't. It's official. Gartner just published the very first Gartner® Magic Quadrant™ for Software Supply Chain Security, and JFrog has been recognized as a Leader, placing highest for Ability to Execute among all the vendors included. For an inaugural report in a category this important, that placement…
How JFrog and NanoClaw are Bringing Software Supply Chain Security to the Age of Autonomous AI

How JFrog and NanoClaw are Bringing Software Supply Chain Security to the Age of Autonomous AI

There's a category of security risk that most organizations aren't ready for. It doesn't live in your code repository, your CI pipeline, or your developer laptops. It lives in your runtime, in the autonomous AI agents already running in your environment, extending their own capabilities, and making decisions that no human explicitly approved. This is…
PixelSmash – Critical FFmpeg Vulnerability Turns Media Files into Weapons

PixelSmash – Critical FFmpeg Vulnerability Turns Media Files into Weapons

JFrog Security Research recently discovered and disclosed a critical vulnerability in FFmpeg, the world's most widely deployed media processing framework. The discovered vulnerability, which we've named PixelSmash, is CVE-2026-8461 - a heap out-of-bounds write in the MagicYUV decoder (CVSS 8.8 High). We escalated this vulnerability from a simple crash all the way to reliable remote…
npm v12’s Biggest Security Change: From Implicit to Explicit Trust

npm v12’s Biggest Security Change: From Implicit to Explicit Trust

For years, installing an npm package has meant trusting that every package in the dependency tree will behave as expected. Whether code originated from the npm registry, a Git repository, a remote URL, or an installation script buried deep within a transitive dependency, npm would typically execute or retrieve it automatically during the installation process.…
How to Validate Policy-as-Code Without Breaking Builds (Even When AI Writes the Code)

How to Validate Policy-as-Code Without Breaking Builds (Even When AI Writes the Code)

Picture two realities for the same compliance control reaching production. Reality One: Your AppSec team writes a new rule. An engineer uses Claude Code or Cursor to generate the OPA (Open Policy Agent) Rego policy in minutes. They deploy it. It blocks a legitimate release on a missing context variable, and the on-call engineer routes…
The Governance Gap: What IDC’s 2026 Data Reveals About AI and the Software Supply Chain

The Governance Gap: What IDC’s 2026 Data Reveals About AI and the Software Supply Chain

In a landscape where executive teams demand immediate AI integration, engineering and security leaders find themselves navigating a complex operational balancing act. To explore how organizations can accelerate delivery pipelines without introducing fatal security risks, JFrog recently hosted a virtual panel discussion titled "Agentic Software Delivery in 2026: How to Bridge the Gap Between AI…