Welcome to the JFrog Blog

Latest:

New Invisible Attack Creates Parallel Poisoned Web Only for AI Agents

September 4, 2025 Shaked Zychlinski, JFrog AI Architect

7 min read

AI agents are rapidly evolving from simple text generators into powerful autonomous assistants that can browse the web, book travel, and extract complex data on our behalf. This new "agentic" AI, which operates in a "sense-plan-act" loop, promises to revolutionize how we interact with the digital world. But as we grant these agents more autonomy…

Read More

All Blogs

Confessions of a CISO: I Have Trust Issues

Confessions of a CISO: I Have Trust Issues

September 3, 2025 Paul Davis, Field CISO | 12 min read

The speed of software development today is driven by fierce competition and the constant demand for innovation. Organizations are launching software faster than ever to keep up with the market and drive growth. This need for speed has led to several key trends: Greater Accountability Demanded of Developers: Developer productivity is no longer only measured…
Read More
Using JFrog to Align Your Systems for ISO 27001 Compliance

Using JFrog to Align Your Systems for ISO 27001 Compliance

August 28, 2025 Paul Davis, Field CISO | 8 min read

ISO/IEC 27001 is an information security standard that is quickly becoming a must-have for any organization that handles proprietary customer data. ISO 27001 certification is now often a requirement to do business, particularly for IT and SaaS organizations - JFrog included! In this blog, you’ll learn more about ISO 27001, how to get certified, and…
Read More
8 Malicious npm Packages Deliver Multi-Layered Chrome Browser Information Stealer

8 Malicious npm Packages Deliver Multi-Layered Chrome Browser Information Stealer

August 27, 2025 Guy Korolevski, JFrog Security Researcher | 7 min read

Open-source software repositories have become one of the main entry points for attackers as part of supply chain attacks, with growing waves using typosquatting and masquerading, pretending to be legitimate. The JFrog Security Research team regularly monitors open-source software repositories using advanced automated tools, in order to detect malicious packages. In cases of potential software…
Read More
Still Trusting Automated Patches Blindly? Think Again

Still Trusting Automated Patches Blindly? Think Again

July 23, 2025 Yonatan Arbel, JFrog Developer Advocate | 4 min read

The Breach: A High-Impact Compromise JounQin’s npm account, the maintainer of popular packages such as eslint-config-prettier, was compromised in a phishing attack. The attackers used the breached credentials to publish six malicious versions of eslint-config-prettier, along with three additional infected packages tied to the same account. In total, the compromised packages see roughly 78 million…
Read More
The UK’s New Software Security Code of Practice and How JFrog Can Help

The UK’s New Software Security Code of Practice and How JFrog Can Help

July 16, 2025 Dafna Zahger Bernanka, JFrog Director of Product Marketing, Security | 8 min read

The UK government has taken a proactive step by recently releasing the Software Security Code of Practice, a vital framework aimed at strengthening the cybersecurity posture of organizations that develop and sell software. This code outlines essential practices and principles, guiding companies to enhance their software security throughout the development lifecycle, from initial design to…
Read More
How to Optimize DevSecOps Workflows Using JFrog

How to Optimize DevSecOps Workflows Using JFrog

July 15, 2025 Pranav Hegde, Tech Lead, JFrog | 9 min read

Embedding security within the Software Development Life Cycle (SDLC) is no longer just a best practice; it’s a full-on necessity. DevSecOps extends the DevOps model by making security a shared responsibility from the earliest stages of development. Today’s enterprises require this kind of integrated approach to streamline workflows from development to deployment. The JFrog Platform…
Read More
Critical RCE Vulnerability in mcp-remote: CVE-2025-6514 Threatens LLM Clients

Critical RCE Vulnerability in mcp-remote: CVE-2025-6514 Threatens LLM Clients

July 9, 2025 Or Peles, JFrog Senior Security Researcher | 12 min read

The JFrog Security Research team has recently discovered and disclosed CVE-2025-6514 - a critical (CVSS 9.6) security vulnerability in the mcp-remote project - a popular tool used by Model Context Protocol clients. The vulnerability allows attackers to trigger arbitrary OS command execution on the machine running mcp-remote when it initiates a connection to an untrusted…
Read More
Why Cloudsmith Is a Risk You Can’t Afford: A Wake-Up Call on Superficial Software Supply Chain Security

Why Cloudsmith Is a Risk You Can’t Afford: A Wake-Up Call on Superficial Software Supply Chain Security

June 24, 2025 The JFrog Security Research Team | 25 min read

On the surface, some tools market DevSecOps capabilities as part of their software supply chain solution. Still, DevOps and Security teams who dig deeper into these tools will quickly spot some red flags, including: Packaging Competitor's Open Source as an Enterprise solution: Selling a paid “security” solution that’s little more than a thin UI layer…
Read More
Multi-Stage Malware Attack on PyPI: Malicious Package Threatens Chimera Sandbox Users

Multi-Stage Malware Attack on PyPI: Malicious Package Threatens Chimera Sandbox Users

June 10, 2025 Guy Korolevski, JFrog Security Researcher | 8 min read

Update 25/06/2025: After the publication of our blog, JFrog was contacted by a security team and was informed that the PyPI package was published as part of an internal security audit - "The PyPI package was not created with malicious intent and users were not targeted by unknown threat actors, the purpose of this simulation…
Read More

Popular Tags