Welcome to the JFrog Blog

Latest from Xray :

How to Connect the JFrog Platform to Your GitHub Environment to Create a Seamless Integration

May 30, 2024 Batel Zohar, JFrog Developer Advocate Carmit Hershman, JFrog Senior Software Architect, CTO Office

8 min read

The latest JFrog collaboration with GitHub enables you to easily combine your favorite solutions for source code and binaries in a seamless integration. This means you now have a unified comprehensive and secure end-to-end experience that supports your software projects. This integration covers everything from curating open source packages, coding, CI, release management, deployment and…

Read More
Latest LastPass security breach highlights developers as a high-value target

Latest LastPass security breach highlights developers as a high-value target

December 29, 2022 Shachar Menashe | 5 min read

Last August, the maintainers of the LastPass cloud-based password manager tool reported a security breach in their servers. The disclosure maintained that an unauthorized party gained access to the LastPass development environment through a single compromised developer account. However - while source code and technical information was stolen, no user data was compromised and no…
Read More
Maximizing Cost Efficiency with the JFrog Cloud DevOps Platform

Maximizing Cost Efficiency with the JFrog Cloud DevOps Platform

December 21, 2022 David Pham, Senior Product Marketing Manager, JFrog Cloud DevOps Platform | 9 min read

As businesses strive to keep up with the speed of digital transformation, they're turning to DevOps practices to help them automate the delivery of code changes. In a world where delivering secure quality software updates fast-drives business value, enter the JFrog Cloud DevOps Platform. The JFrog Platform unifies, accelerates, and secures your software delivery, from…
Read More
PyPI malware creators are starting to employ Anti-Debug techniques

PyPI malware creators are starting to employ Anti-Debug techniques

December 13, 2022 Andrey Polkovnychenko | 8 min read

The JFrog Security Research team continuously monitors popular open-source software (OSS) repositories with our automated tooling, and reports any vulnerabilities or malicious packages discovered to repository maintainers and the wider community. Most PyPI malware today tries to avoid static detection using various techniques: starting from primitive variable mangling to sophisticated code flattening and steganography techniques.…
Read More
IDC LINK: JFrog Introduces New Software Supply Chain Security Capabilities

IDC LINK: JFrog Introduces New Software Supply Chain Security Capabilities

December 6, 2022 The JFrog Team | 3 min read

As software becomes increasingly complex, the need to secure the software supply chain becomes more important — and more difficult.  But how can businesses address the challenges of securing their software supply chain? The International Data Corporation (IDC) offers critical insight. Following the release of JFrog Advanced Security on October 18, 2022 – the world’s…
Read More
Invisible npm malware – evading security checks with crafted versions

Invisible npm malware – evading security checks with crafted versions

November 29, 2022 Or Peles, JFrog Vulnerability Research Team Leader | 6 min read

The npm CLI has a very convenient and well-known security feature - when installing an npm package, the CLI checks the package and all of its dependencies for well-known vulnerabilities - The check is triggered on package installation (when running npm install) but can also be triggered manually by running npm audit. This is an…
Read More
Turns out 78% of reported common CVEs on top DockerHub images are not really exploitable

Turns out 78% of reported common CVEs on top DockerHub images are not really exploitable

November 15, 2022 Shachar Menashe, Jonathan Sar-Shalom and Nitay Meiron, JFrog Security Research Team | 15 min read

Research motivations Similarly to our previous research on “Secrets Detection,” during the development and testing of JFrog Xray’s new “Contextual Analysis” feature, we wanted to test our detection in a large-scale real-world use case, both for eliminating bugs and testing the real-world viability of our current solution. However, unlike the surprising results we got in our…
Read More
Common Payloads Attackers Plant in Malicious Software Packages

Common Payloads Attackers Plant in Malicious Software Packages

November 14, 2022 Jonathan Sar Shalom, Director of Threat Research, JFrog | 9 min read

In this third post in our series on Malicious Software Packages, we’ll focus on the aftermath of a successful attack and how the attacker executes payloads to serve their needs through various real-life scenarios. Before we start, let’s review a few highlights from the second post you might've missed: There are common types of infection methods…
Read More
JFrog’s security scanners discovered thousands of publicly exposed API tokens – and they’re active! The Full Report

JFrog’s security scanners discovered thousands of publicly exposed API tokens – and they’re active! The Full Report

November 8, 2022 Andrey Polkovnychenko and Shachar Menashe, JFrog Security Research | 19 min read

Note: This report was previously published in InfoWorld When developing the recently announced JFrog Advanced Security, our Research team decided to try out its new “Secrets Detection” feature. Our goal was to test our vulnerability detection on as much real world data as possible, to make sure we eliminate false positives and catch any bugs…
Read More
Five Examples of Infection Methods Attackers Use to Spread Malicious Packages

Five Examples of Infection Methods Attackers Use to Spread Malicious Packages

October 31, 2022 Jonathan Sar Shalom, Director of Threat Research, JFrog | 13 min read

Welcome to the second post in our series on Malicious Software Packages. This post focuses on the infection methods attackers use to spread malicious packages, and how the JFrog Security research team unveiled them. If you missed the first blog, here are some key takeaways: Third-party software packages contain vulnerabilities or malicious code delivered through…
Read More
CVE-2022-3602 and CVE-2022-3786 – High-severity OpenSSL Vulnerabilities Finally Published

CVE-2022-3602 and CVE-2022-3786 – High-severity OpenSSL Vulnerabilities Finally Published

November 2, 2022 Shachar Menashe, Sr. Director Security Research | 7 min read

How did we get here? On October 25th, The OpenSSL team announced that OpenSSL 3.0.7 will contain a fix for a critical severity vulnerability that affects OpenSSL 3.x. The full details about the vulnerability were held in an embargo until November 1st. Due to the rarity of an OpenSSL critical-severity issue and the overwhelming popularity…
Read More

Popular Tags