Pixelsmash - Thumbnail 203x148

PixelSmash – Critical FFmpeg Vulnerability Turns Media Files into Weapons

JFrog Security Research recently discovered and disclosed a critical vulnerability in FFmpeg, the world’s most widely deployed media processing framework. The discovered vulnerability, which we’ve named PixelSmash, is CVE-2026-8461 – a heap out-of-bounds write in the MagicYUV decoder (CVSS 8.8 High). We escalated this vulnerability from a simple crash all the way to reliable remote …

npm12 - Thumbnail 203X148 (1)

npm v12’s Biggest Security Change: From Implicit to Explicit Trust

For years, installing an npm package has meant trusting that every package in the dependency tree will behave as expected. Whether code originated from the npm registry, a Git repository, a remote URL, or an installation script buried deep within a transitive dependency, npm would typically execute or retrieve it automatically during the installation process. …

repohunter, ci/cd security, github actions, shai hulud, supply chain attack, cybersecurity, ai, devsecops, vulnerability research, pwn request, open source, ansible, software security

How JFrog’s AI-Research Bot Found OSS CI/CD Vulnerabilities to Prevent Shai Hulud 3.0

Recent incidents have proven that Continuous Integration (CI) workflows are the new battleground for software supply chain attacks. Security Pitfalls in GitHub Actions workflows, such as the unsanitized use of pull request (PR) data, can allow attackers to execute malicious code during CI runs with devastating consequences. For example, the high-profile “S1ngularity” attack on the …