Blog Home

Python Malware Imitates Signed PyPI Traffic in Novel Exfiltration Technique
November 18, 2021

The JFrog Security research team continuously monitors popular open source software (OSS) repositories with our automated tooling to report vulnerable and malicious packages to repository maintainers. Earlier this year we disclosed several malicious packages targeting developers’ private data that were downloaded approximately 30K times. Today, we will share details about 11 new malware packages that …

Read More

Unboxing BusyBox – 14 new vulnerabilities uncovered by Claroty and JFrog
November 09, 2021

  Update April 2026 – BusyBox is now at version 1.37.0. We recommend upgrading to 1.37.0 or later (the post originally recommended 1.34.0). Since this research was published, additional awk-related vulnerabilities have been found: CVE-2023-42365 and CVE-2023-42366, both in version 1.36.1. A separate tar vulnerability (CVE-2025-46394) was disclosed in April 2025. Notably, SUSE was still …

Read More
Don’t let Prometheus Steal your Fire

Don’t let Prometheus Steal your Fire
October 12, 2021

Update April 2026 – Prometheus is now on version 2.55+ and its security features have matured significantly since this post was written. In addition to basic auth and TLS, Prometheus now supports mutual TLS (mTLS) with client certificate verification, configurable minimum TLS version (default TLS 1.2), and cipher suite selection. Despite these improvements being available …

Read More
YAML Security Vulnerability

23andMe’s Yamale Python code injection, and properly sanitizing eval()
October 05, 2021

Background JFrog security research team (formerly Vdoo) has recently disclosed a code injection issue in Yamale, a popular schema validator for YAML that’s used by over 200 repositories. The issue has been assigned to CVE-2021-38305. The injection issue An attacker that can control the contents of the schema file that’s supplied to Yamale (-s/–schema command …

Read More
Use Artifactory with an Air Gap

No Internet? No Problem. Use Artifactory with an Air Gap – Part I
August 11, 2021

Virtually all development organizations need access to remote public resources such as Maven Central, NuGet Gallery, npmjs.org, Docker Hub etc., to download dependencies needed for a build. One of the big benefits of using Artifactory is its remote repositories which proxy these remote resources and cache artifacts that are downloaded. This way, once any developer …

Read More
8 Steps to npm Registry

How to set up a Private, Remote and Virtual npm Registry
August 10, 2021

The simplest way to manage and organize your Node dependencies is with an npm repository. You need reliable, secure, consistent and efficient access to your dependencies that are shared across your team, in a central location. Including a place to set up multiple registries, that work transparently with the npm client. With the JFrog cloud …

Read More

Enable Multi-Site DevOps with Federated Repositories
June 30, 2021

The days when applications were created by a small team of developers in one room are long past. Enterprise software development is now a highly collaborative endeavour of packages shared by intersecting teams across multiple sites spread across the globe. For the enterprise, JFrog Artifactory has long enabled multi-site replication through different push/pull replication topology …

Read More
blog

How to set up a Private, Remote and Virtual Maven/Gradle Registry
June 22, 2021

The simplest way to manage and organize your Java dependencies is with a Maven or Gradle repository. You need reliable, secure, consistent and efficient access to your dependencies that are shared across your team, in a central location. Including a place to set up multiple registries, that work transparently with the Maven and Gradle clients. …

Read More

JFrog CloudFormation Modules Make Provisioning to AWS Easy and Secure
June 21, 2021

A routine cloud operations task should have a routine solution. That’s why we’ve just made it a lot easier to install and maintain self-hosted instances of the JFrog DevOps Platform on AWS, through AWS CloudFormation. To further simplify the effort of self-hosting Artifactory and Xray on AWS, we’ve just published a set of AWS CloudFormation …

Read More

Best Practices for Migrating to Helm v3 for the Enterprise
June 14, 2021

At JFrog, we rely on Kubernetes and Helm to orchestrate our systems and keep our workloads running and up-to-date. Our JFrog Cloud services had initially been deployed with Helm v2 and Tillerless plugin for enhanced security, but we have now successfully migrated our many thousands of releases to Helm v3.  Like many SaaS service providers, …

Read More

Popular Tags