Welcome to the JFrog Blog

Latest:

Shai-Hulud npm supply chain attack – new compromised packages detected

September 16, 2025 Andrey Polkovnichenko, JFrog Security Researcher

6 min read

Recently, the npm ecosystem has faced its third large-scale attack. Following the recent compromise of the nx packages  and another wave targeting popular packages, the registry has once again been attacked.   The first report came from Daniel Pereira, who identified a compromised package: @ctrl/tinycolor@4.1.1. By the end of the day, JFrog’s malware scanners had…

Read More

All Blogs

Chaotic Deputy: Critical vulnerabilities in Chaos Mesh lead to Kubernetes cluster takeover

Chaotic Deputy: Critical vulnerabilities in Chaos Mesh lead to Kubernetes cluster takeover

September 16, 2025 Natan Nehorai, JFrog Application Security Researcher | 11 min read

JFrog Security Research recently discovered and disclosed multiple CVEs in the highly popular Chaos engineering platform - Chaos-Mesh. The discovered CVEs, which we’ve named Chaotic Deputy are CVE-2025-59358, CVE-2025-59360, CVE-2025-59361 and CVE-2025-59359. The last three Chaotic Deputy CVEs are critical severity (CVSS 9.8) vulnerabilities which can be easily exploited by in-cluster attackers to run arbitrary…
Read More
New compromised packages identified in largest npm attack in history

New compromised packages identified in largest npm attack in history

September 9, 2025 Andrey Polkovnichenko, JFrog Security Researcher | 3 min read

Duckdb, coveops/abi and more new packages discovered as compromised in the ongoing phishing campaign On September 8th, a malicious actor compromised the npm registry by publishing trojanized versions of 18 widely-used packages, after obtaining developers’ tokens in a phishing attack, as reported by Aikido. Massively popular packages such as "debug", "chalk" and "ansi-styles" were compromised.…
Read More
The AI/ML Regulatory Landscape and How to Stay Ahead

The AI/ML Regulatory Landscape and How to Stay Ahead

September 11, 2025 Paul Davis, Field CISO | 5 min read

The entire world of technology is abuzz about AI/ML. It’s arguably the most disruptive technology to society since the smartphone. In fact, Gartner estimates that the number of companies using open-source AI directly will increase tenfold by 2027. While this rapid advance is fueling quantum leaps in innovation, it also ignites increasing scrutiny from regulatory…
Read More
JFrog swampUP 2025: News and Updates Live From the Show Floor

JFrog swampUP 2025: News and Updates Live From the Show Floor

September 9, 2025 The JFrog Team | 33 min read

Live updates from this event have concluded. JFrog’s annual user conference, swampUP 2025, is the ultimate gathering of the brightest minds in DevOps, DevSecOps, and MLOps where they exchange ideas, insights and practical strategies for navigating this transformation while amplifying trust, traceability, and transparency in the era of intelligent software. Here are live keynote updates…
Read More
JFrog and GitHub: Next-Level DevSecOps

JFrog and GitHub: Next-Level DevSecOps

September 10, 2025 Paul Garden, JFrog Partner and Industry Solutions | 6 min read

Most DevSecOps pipelines have a gap: source code security and binary security are handled in separate silos. This creates blind spots, slows teams down, and increases risk. At swampUP 2025, we’re unveiling the next evolution of the JFrog and GitHub integration, a deeply integrated DevSecOps experience that unifies best-of-breed code and binary platforms. With JFrog…
Read More
Stop the Chaos: How to Centralize, Secure, and Control Developer Extensions

Stop the Chaos: How to Centralize, Secure, and Control Developer Extensions

September 10, 2025 Achinoam Katsoff-Sitton, JFrog Product Marketing Manager, DevOps | 4 min read

Picture this: A new developer joins your team, excited to start contributing. On day one, they spend hours installing and configuring their IDE, searching for the "right" extensions. Their setup ends up being completely different from everyone else's. Sound familiar? Worse yet, what if that "productivity-boosting" extension or new MCP server they just installed also…
Read More
Announcing JFrog AppTrust: Building Unshakeable Trust in Every Application You Deliver

Announcing JFrog AppTrust: Building Unshakeable Trust in Every Application You Deliver

September 9, 2025 Eyal Dyment, JFrog VP Security | 7 min read

The pressure to deliver applications quickly has created a complex software supply chain that is vulnerable to more  threats than ever before. New regulations are shifting the liability to software developers, demanding auditable proof of security across the entire product lifecycle. Caught between velocity and complexity, the critical question is this: Can you truly vouch…
Read More
Agentic Software Supply Chain Security: AI-Assisted Curation and Remediation

Agentic Software Supply Chain Security: AI-Assisted Curation and Remediation

September 9, 2025 Paul Garden, JFrog Partner and Industry Solutions | 7 min read

Software supply chains are the #1 attack vector for cybercriminals, and the challenge isn’t just finding vulnerabilities; it’s fixing them fast while ensuring security, compliance, and developer productivity. As supply chains grow in complexity, traditional tools aren’t enough; organizations need intelligent, autonomous assistance embedded directly into developer workflows. We are pleased to announce that JFrog…
Read More

Popular Tags