Welcome to the JFrog Blog

Latest from Xray :

npm package hijacking through domain takeover – how bad is this “new” attack?

May 24, 2022 Andrey Polkovnychenko and Shachar Menashe

11 min read

When relying on a 3rd-party package from a non-commercial entity, there is always the risk of lack of support, especially when it comes to outdated packages and versions. If the package stops being maintained, nobody will implement a new feature we might need or fix a newly-discovered security vulnerability. Consider, for example, CVE-2019-17571. A critical…

Read More
JFrog & Industry Leaders Join White House Summit on Open Source Software Security

JFrog & Industry Leaders Join White House Summit on Open Source Software Security

May 18, 2022 Stephen Chin, VP of Developer Relations, JFrog | 6 min read

There’s no question the volume, sophistication and severity of software supply chain attacks has increased in the last year. In recent months the JFrog Security Research team tracked nearly 20 different open source software supply chain attacks – two of which were zero day threats. This steady barrage of vulnerabilities and malicious packages is driving…
Read More
How to Prevent the Next Log4j Style Zero-Day Vulnerability

How to Prevent the Next Log4j Style Zero-Day Vulnerability

May 17, 2022 Asaf Karas, Oren Ish-Shalom, Ilya Khivrich | 8 min read

Note: This blog post was previously published on Dark Reading Software testing is notoriously hard. Search Google for CVEs caused by basic CRLF (newline character) issues and you’ll see thousands of entries. Humanity has been able to put a man on the moon, but it hasn’t yet found a proper way to handle line endings…
Read More
Scan your software packages for security vulnerabilities with JFrog Xray

Scan your software packages for security vulnerabilities with JFrog Xray

May 17, 2022 Robi Nino and Michael Sverdlov | 4 min read

Scanning your packages for security vulnerabilities and license violations should be done as early as possible in your SDLC, and the earlier the better. This concept is also known as “Shifting Left”, which helps your organization comply with security policies and standards early on in the software development process. As developers, this may seem like…
Read More
npm supply chain attack targets Germany-based companies with dangerous backdoor malware

npm supply chain attack targets Germany-based companies with dangerous backdoor malware

May 10, 2022 Andrey Polkovnychenko and Shachar Menashe | 9 min read

Update May 11th: Following the publication of this blog post, a penetration testing company called "Code White" took responsibility for this dependency confusion attack The JFrog Security research team constantly monitors the npm and PyPI ecosystems for malicious packages that may lead to widespread software supply chain attacks. Last month, we shared a widespread npm…
Read More
DevSecOps 101 Webinar Series

DevSecOps 101 Webinar Series

April 28, 2022 JFrog Team | 2 min read

Security should be embedded into the DevOps workflow by default, but for many organizations, it isn't. Enter "DevSecOps". What is DevSecOps? It is a practice to build more secure applications, secure the software supply chain, and secure cloud and on-prem workloads. It is an essential practice that needs visibility. Our new “DevSecOps 101” webinar series…
Read More
CVE-2022-21449 “Psychic Signatures”: Analyzing the New Java Crypto Vulnerability

CVE-2022-21449 “Psychic Signatures”: Analyzing the New Java Crypto Vulnerability

April 21, 2022 Brian Moussalli, JFrog Security Research Team | 5 min read

A few days ago, security researcher Neil Madden published a blog post, in which he provided details about a newly disclosed vulnerability in Java, CVE-2022-21449 or "Psychic Signatures". This security vulnerability originates in an improper implementation of the ECDSA signature verification algorithm, introduced in Java 15. This vulnerability allows an attacker to potentially intercept communication…
Read More
CVE-2022-24675 – Stack overflow (exhaustion) in Go’s PEM decoder

CVE-2022-24675 – Stack overflow (exhaustion) in Go’s PEM decoder

April 18, 2022 David Cohen | 4 min read

A few days ago it was reported that the new Go versions 1.18.1 and 1.17.9 contain fixes for a stack overflow vulnerability in the encoding/pem builtin package, in the Decode function. Given the high popularity of Go among our customers and in the industry at large, this update led us to investigate the vulnerability in…
Read More

Popular Tags