Welcome to the JFrog Blog

Advanced Security in your Software Supply Chain – Part 1

Advanced Security in your Software Supply Chain – Part 1

Containerised deployment is widely becoming a standard in every industry, ensuring these containers are protected at every level with a high level of accuracy is one of the most important tasks. Some industry vendors rely solely on the manifest files to provide them with a list of components, others have to manually convert the container…
Detecting Malicious Packages and How They Obfuscate Their Malicious Code

Detecting Malicious Packages and How They Obfuscate Their Malicious Code

Wow! We made it to the last post in our Malicious Packages series. While parting is such sweet sorrow, we hope blogs one, two, and three provide insights into the havoc malicious packages cause throughout your DevOps and DevSecOps pipelines.  In the prior posts: We explained what software supply chain attacks are and learned the…
Watch out for DoS when using Rust’s popular Hyper package

Watch out for DoS when using Rust’s popular Hyper package

The JFrog Security Research team is constantly looking for new and previously unknown vulnerabilities and security issues in popular open-source projects to help improve their security posture and defend the wider software supply chain. As part of this effort, we recently discovered and disclosed multiple vulnerabilities in popular Rust projects such as Axum, Salvo and…
Latest LastPass security breach highlights developers as a high-value target

Latest LastPass security breach highlights developers as a high-value target

Last August, the maintainers of the LastPass cloud-based password manager tool reported a security breach in their servers. The disclosure maintained that an unauthorized party gained access to the LastPass development environment through a single compromised developer account. However - while source code and technical information was stolen, no user data was compromised and no…
Maximizing Cost Efficiency with the JFrog Cloud DevOps Platform

Maximizing Cost Efficiency with the JFrog Cloud DevOps Platform

As businesses strive to keep up with the speed of digital transformation, they're turning to DevOps practices to help them automate the delivery of code changes. In a world where delivering secure quality software updates fast-drives business value, enter the JFrog Cloud DevOps Platform. The JFrog Platform unifies, accelerates, and secures your software delivery, from…
PyPI malware creators are starting to employ Anti-Debug techniques

PyPI malware creators are starting to employ Anti-Debug techniques

The JFrog Security Research team continuously monitors popular open-source software (OSS) repositories with our automated tooling, and reports any vulnerabilities or malicious packages discovered to repository maintainers and the wider community. Most PyPI malware today tries to avoid static detection using various techniques: starting from primitive variable mangling to sophisticated code flattening and steganography techniques.…
IDC LINK: JFrog Introduces New Software Supply Chain Security Capabilities

IDC LINK: JFrog Introduces New Software Supply Chain Security Capabilities

As software becomes increasingly complex, the need to secure the software supply chain becomes more important — and more difficult.  But how can businesses address the challenges of securing their software supply chain? The International Data Corporation (IDC) offers critical insight. Following the release of JFrog Advanced Security on October 18, 2022 – the world’s…
Invisible npm malware – evading security checks with crafted versions

Invisible npm malware – evading security checks with crafted versions

The npm CLI has a very convenient and well-known security feature - when installing an npm package, the CLI checks the package and all of its dependencies for well-known vulnerabilities - The check is triggered on package installation (when running npm install) but can also be triggered manually by running npm audit. This is an…
Turns out 78% of reported common CVEs on top DockerHub images are not really exploitable

Turns out 78% of reported common CVEs on top DockerHub images are not really exploitable

Research motivations Similarly to our previous research on “Secrets Detection,” during the development and testing of JFrog Xray’s new “Contextual Analysis” feature, we wanted to test our detection in a large-scale real-world use case, both for eliminating bugs and testing the real-world viability of our current solution. However, unlike the surprising results we got in our…