Welcome to the JFrog Blog

Latest:

PixelSmash – Critical FFmpeg Vulnerability Turns Media Files into Weapons

June 22, 2026 By Yuval Moravchick, JFrog Vulnerability Research Team Lead

23 min read

JFrog Security Research recently discovered and disclosed a critical vulnerability in FFmpeg, the world's most widely deployed media processing framework. The discovered vulnerability, which we've named PixelSmash, is CVE-2026-8461 - a heap out-of-bounds write in the MagicYUV decoder (CVSS 8.8 High). We escalated this vulnerability from a simple crash all the way to reliable remote…

Read More

All Blogs

npm v12’s Biggest Security Change: From Implicit to Explicit Trust

npm v12’s Biggest Security Change: From Implicit to Explicit Trust

June 18, 2026 Ofri Ouzan, JFrog Security Researcher Guy Korolevski, JFrog Security Researcher | 14 min read

For years, installing an npm package has meant trusting that every package in the dependency tree will behave as expected. Whether code originated from the npm registry, a Git repository, a remote URL, or an installation script buried deep within a transitive dependency, npm would typically execute or retrieve it automatically during the installation process.…
Read More
JFrog Named a Leader in the Inaugural Gartner<sup>®</sup> Magic Quadrant™ for Software Supply Chain Security

JFrog Named a Leader in the Inaugural Gartner® Magic Quadrant™ for Software Supply Chain Security

June 18, 2026 The JFrog Team | 5 min read

The recognition is new; the commitment behind it isn't. It's official. Gartner just published the very first Gartner® Magic Quadrant™ for Software Supply Chain Security, and JFrog has been recognized as a Leader, placing highest for Ability to Execute among all the vendors included. For an inaugural report in a category this important, that placement…
Read More
How to Validate Policy-as-Code Without Breaking Builds (Even When AI Writes the Code)

How to Validate Policy-as-Code Without Breaking Builds (Even When AI Writes the Code)

June 11, 2026 Segev Sharabi, JFrog Senior Product Manager, DevGovOps Roy Goldenberg, JFrog Product Marketing Manager, AppTrust | 6 min read

Picture two realities for the same compliance control reaching production. Reality One: Your AppSec team writes a new rule. An engineer uses Claude Code or Cursor to generate the OPA (Open Policy Agent) Rego policy in minutes. They deploy it. It blocks a legitimate release on a missing context variable, and the on-call engineer routes…
Read More
The Governance Gap: What IDC’s 2026 Data Reveals About AI and the Software Supply Chain

The Governance Gap: What IDC’s 2026 Data Reveals About AI and the Software Supply Chain

June 10, 2026 Yuval Fernbach and Asaf Barkan | 4 min read

In a landscape where executive teams demand immediate AI integration, engineering and security leaders find themselves navigating a complex operational balancing act. To explore how organizations can accelerate delivery pipelines without introducing fatal security risks, JFrog recently hosted a virtual panel discussion titled "Agentic Software Delivery in 2026: How to Bridge the Gap Between AI…
Read More
Introducing Package Traffic Controller: Software Supply Chain Security at the Network Edge

Introducing Package Traffic Controller: Software Supply Chain Security at the Network Edge

May 27, 2026 Sean Pratt, Senior Manager, JFrog | 6 min read

Imagine this: your security team has done everything right. All development teams are using a centrally managed artifact repository with scanning in place. Your engineering organization has clear policies about where packages can come from. You feel good about your software supply chain posture. Then an incident review surfaces something nobody planned for: a compromised…
Read More
The Governance Gap Between Your Policy and Your Pipeline

The Governance Gap Between Your Policy and Your Pipeline

May 20, 2026 Achinoam Katsoff-Sitton, JFrog Product Marketing Manager, DevOps | 8 min read

Security teams are under more pressure than ever, and most of them believe they're keeping up. That confidence, it turns out, may be the most consequential finding in the JFrog 2026 Software Supply Chain Security State of the Union. Across 18.2 billion artifacts analyzed, independent vulnerability research from the JFrog Security Research team, and a…
Read More
The Agent Has Entered the Supply Chain

The Agent Has Entered the Supply Chain

May 19, 2026 Carmit Hershman, JFrog Senior Software Architect, CTO Office | 9 min read

Software Delivery in the Age of Agents The way software gets built has fundamentally shifted. AI coding agents are no longer just autocomplete on steroids; they're resolving packages, configuring environments, selecting tools, and in some cases running the entire development lifecycle, with or without a human in the loop. But here's the problem: the tools…
Read More

Popular Tags