security-research Archives

SHARE:

Binary secret scanning helped us prevent (what might have been) the worst supply chain attack you can imagine

July 09, 2024

The JFrog Security Research team has recently discovered and reported a leaked access token with administrator access to Python’s, PyPI’s and Python Software Foundation’s GitHub repositories, which was leaked in a public Docker container hosted on Docker Hub. As a community service, the JFrog Security Research team continuously scans public repositories such as Docker Hub, …

SHARE:

When Prompts Go Rogue: Analyzing a Prompt Injection Code Execution in Vanna.AI

June 27, 2024

In the rapidly evolving fields of large language models (LLMs) and machine learning, new frameworks and applications emerge daily, pushing the boundaries of these technologies. While exploring libraries and frameworks that leverage LLMs for user-facing applications, we came across the Vanna.AI library – which offers a text-to-SQL interface for users – where we discovered CVE-2024-5565, a …

SHARE:

JFrog Security research discovers coordinated attacks on Docker Hub that planted millions of malicious repositories

April 30, 2024

As key parts of the software ecosystem, and as partners, JFrog and Docker are working together to strengthen the software ecosystem. Part of this effort by JFrog’s security research team involves continuous monitoring of open-source software registries in order to proactively identify and address potential malware and vulnerability threats. In former publications, we have discussed …

SHARE:

CVE-2024-3094 XZ Backdoor: All you need to know

March 31, 2024

Update April 1st – Updated “What is the malicious payload of CVE-2024-3094?” due to newly released OSS tools Update April 7th – Updated “What is the malicious payload of CVE-2024-3094?” due to more published payload research On March 29th, it was reported that malicious code enabling unauthorized remote SSH access has been detected within …

SHARE:

NPM Manifest Confusion: Six Months Later

March 26, 2024

Several months ago, Darcy Clarke, a former Staff Engineering Manager at GitHub, discovered the “Manifest Confusion” bug in the npm ecosystem. The bug was caused by the npm registry not validating whether the manifest file contained in the tarball (package.json) matches the manifest data published to the npm server. Clarke claims this to be a …

SHARE:

Data Scientists Targeted by Malicious Hugging Face ML Models with Silent Backdoor

February 27, 2024

In the realm of AI collaboration, Hugging Face reigns supreme. But could it be the target of model-based attacks? Recent JFrog findings suggest a concerning possibility, prompting a closer look at the platform’s security and signaling a new era of caution in AI research. The discussion on AI Machine Language (ML) models security is still …

SHARE:

Analyzing common vulnerabilities introduced by Code-Generative AI

February 07, 2024

Artificial Intelligence tools such as Bard, ChatGPT, and Bing Chat are the current big names in the Large Language Model (LLM) category which is on the rise. LLMs are trained on vast data sets to be able to communicate by using everyday human language as a chat prompt. Given the flexibility and potential of LLMs, …

SHARE:

*nix libX11: Uncovering and exploiting a 35-year-old vulnerability – Part 2 of 2

January 24, 2024

The JFrog Security research team has recently discovered two security vulnerabilities in X.Org libX11, the widely popular graphics library – CVE-2023-43786 and CVE-2023-43787 (with a high NVD severity CVSS 7.8). These vulnerabilities cause a denial-of-service and remote code execution. X11’s latest versions contain fixes for these vulnerabilities. The team constantly monitors open-source projects to find …

SHARE:

*nix libX11: Uncovering and exploiting a 35-year-old vulnerability – Part 1 of 2

January 17, 2024

The JFrog Security research team has recently discovered two security vulnerabilities in X.Org libX11, the widely popular graphics library – CVE-2023-43786 and CVE-2023-43787 (with a high NVD severity CVSS 7.8). These vulnerabilities cause a denial-of-service and remote code execution. X11’s latest versions contain fixes for these vulnerabilities. The team constantly monitors open-source projects to find …

SHARE:

Top JFrog Security Research Blogs of the Year

January 12, 2024

With over 29,000 CVEs and 5.5 billion malware attacks recorded in the past year, it’s no wonder that software supply chain security is a top priority for enterprise developers on a global scale. That is also why JFrog Security Research has been instrumental in identifying and analyzing the biggest threats and devising methods to protect …

Binary secret scanning helped us prevent (what might have been) the worst supply chain attack you can imagine

When Prompts Go Rogue: Analyzing a Prompt Injection Code Execution in Vanna.AI

JFrog Security research discovers coordinated attacks on Docker Hub that planted millions of malicious repositories

CVE-2024-3094 XZ Backdoor: All you need to know

NPM Manifest Confusion: Six Months Later

Data Scientists Targeted by Malicious Hugging Face ML Models with Silent Backdoor

Analyzing common vulnerabilities introduced by Code-Generative AI

*nix libX11: Uncovering and exploiting a 35-year-old vulnerability – Part 2 of 2

*nix libX11: Uncovering and exploiting a 35-year-old vulnerability – Part 1 of 2

Top JFrog Security Research Blogs of the Year

Popular Tags