Blog Home
PyPI Leaked Token in Binary

Binary secret scanning helped us prevent (what might have been) the worst supply chain attack you can imagine
July 09, 2024

The JFrog Security Research team has recently discovered and reported a leaked access token with administrator access to Python’s, PyPI’s and Python Software Foundation’s GitHub repositories, which was leaked in a public Docker container hosted on Docker Hub. As a community service, the JFrog Security Research team continuously scans public repositories such as Docker Hub, …

Read More
Contextual Analysis for Python, Java, and JavaScript with JFrog Frogbot

Contextual Analysis for Python, Java, and JavaScript Projects with JFrog Frogbot
September 08, 2023

When scanning packages, CVE (Common Vulnerabilities and Exposures) scanners can find thousands of vulnerabilities. This leaves developers with the painstaking task of sifting through long lists of vulnerabilities to identify the relevance of each, only to find that many vulnerabilities don’t affect their artifacts at all. Vulnerability Contextual Analysis uses the artifact context to eliminate …

Read More
Python Package Index (PyPi)

Python wheel-jacking in supply chain attacks
February 16, 2021

Recently, a novel supply chain attack was published by security researcher Alex Birsan, detailing how dependency confusion (or “namesquatting“) in package managers can be misused in order to execute malicious code on production and development systems. Background – dependency confusion & Birsan’s attack In short, most package managers such as pip and npm do not …

Read More

Popular Tags