Welcome to the JFrog Blog

Latest:

Using JFrog to Align Your Systems for ISO 27001 Compliance

August 28, 2025 Paul Davis, Field CISO

8 min read

ISO/IEC 27001 is an information security standard that is quickly becoming a must-have for any organization that handles proprietary customer data. ISO 27001 certification is now often a requirement to do business, particularly for IT and SaaS organizations - JFrog included! In this blog, you’ll learn more about ISO 27001, how to get certified, and…

Read More

All Blogs

8 Malicious npm Packages Deliver Multi-Layered Chrome Browser Information Stealer

8 Malicious npm Packages Deliver Multi-Layered Chrome Browser Information Stealer

August 27, 2025 Guy Korolevski, JFrog Security Researcher | 7 min read

Open-source software repositories have become one of the main entry points for attackers as part of supply chain attacks, with growing waves using typosquatting and masquerading, pretending to be legitimate. The JFrog Security Research team regularly monitors open-source software repositories using advanced automated tools, in order to detect malicious packages. In cases of potential software…
Read More
Still Trusting Automated Patches Blindly? Think Again

Still Trusting Automated Patches Blindly? Think Again

July 23, 2025 Yonatan Arbel, JFrog Developer Advocate | 4 min read

The Breach: A High-Impact Compromise JounQin’s npm account, the maintainer of popular packages such as eslint-config-prettier, was compromised in a phishing attack. The attackers used the breached credentials to publish six malicious versions of eslint-config-prettier, along with three additional infected packages tied to the same account. In total, the compromised packages see roughly 78 million…
Read More
The UK’s New Software Security Code of Practice and How JFrog Can Help

The UK’s New Software Security Code of Practice and How JFrog Can Help

July 16, 2025 Dafna Zahger Bernanka, JFrog Director of Product Marketing, Security | 8 min read

The UK government has taken a proactive step by recently releasing the Software Security Code of Practice, a vital framework aimed at strengthening the cybersecurity posture of organizations that develop and sell software. This code outlines essential practices and principles, guiding companies to enhance their software security throughout the development lifecycle, from initial design to…
Read More
How to Optimize DevSecOps Workflows Using JFrog

How to Optimize DevSecOps Workflows Using JFrog

July 15, 2025 Pranav Hegde, Tech Lead, JFrog | 9 min read

Embedding security within the Software Development Life Cycle (SDLC) is no longer just a best practice; it’s a full-on necessity. DevSecOps extends the DevOps model by making security a shared responsibility from the earliest stages of development. Today’s enterprises require this kind of integrated approach to streamline workflows from development to deployment. The JFrog Platform…
Read More
Critical RCE Vulnerability in mcp-remote: CVE-2025-6514 Threatens LLM Clients

Critical RCE Vulnerability in mcp-remote: CVE-2025-6514 Threatens LLM Clients

July 9, 2025 Or Peles, JFrog Senior Security Researcher | 12 min read

The JFrog Security Research team has recently discovered and disclosed CVE-2025-6514 - a critical (CVSS 9.6) security vulnerability in the mcp-remote project - a popular tool used by Model Context Protocol clients. The vulnerability allows attackers to trigger arbitrary OS command execution on the machine running mcp-remote when it initiates a connection to an untrusted…
Read More
Why Cloudsmith Is a Risk You Can’t Afford: A Wake-Up Call on Superficial Software Supply Chain Security

Why Cloudsmith Is a Risk You Can’t Afford: A Wake-Up Call on Superficial Software Supply Chain Security

June 24, 2025 The JFrog Security Research Team | 25 min read

On the surface, some tools market DevSecOps capabilities as part of their software supply chain solution. Still, DevOps and Security teams who dig deeper into these tools will quickly spot some red flags, including: Packaging Competitor's Open Source as an Enterprise solution: Selling a paid “security” solution that’s little more than a thin UI layer…
Read More
Multi-Stage Malware Attack on PyPI: Malicious Package Threatens Chimera Sandbox Users

Multi-Stage Malware Attack on PyPI: Malicious Package Threatens Chimera Sandbox Users

June 10, 2025 Guy Korolevski, JFrog Security Researcher | 8 min read

Update 25/06/2025: After the publication of our blog, JFrog was contacted by a security team and was informed that the PyPI package was published as part of an internal security audit - "The PyPI package was not created with malicious intent and users were not targeted by unknown threat actors, the purpose of this simulation…
Read More
RSAC 2025 Recap: Software Supply Chain Security Takes Center Stage

RSAC 2025 Recap: Software Supply Chain Security Takes Center Stage

May 12, 2025 Paul Davis, Field CISO | 5 min read

The RSA Conference 2025 at the Moscone Center in San Francisco on April 28 - May 1, brought together over 44,000 cybersecurity professionals from around the world. This year's event, marking the 34th annual flagship conference, placed significant emphasis on software supply chain security and secure software development lifecycle (SDLC) practices. From the keynotes, speaking…
Read More
A Vulnerable Future: MITRE’s Close Call in CVE Management

A Vulnerable Future: MITRE’s Close Call in CVE Management

April 23, 2025 Ofri Ouzan, JFrog Security Researcher Jonathan Sar Shalom, JFrog Director of Threat Research | 16 min read

Last week, one of the biggest concerns in the cybersecurity industry created a crisis that was avoided at the last minute. On April 16th, 2025, the MITRE Corporation announced:  “The current contracting pathway for MITRE to develop, operate, and modernize CVE and several other related programs, such as CWE, will expire.” Official letter from MITRE…
Read More

Popular Tags