In today’s fast-paced software development landscape, managing and securing the software supply chain is crucial for delivering reliable and trusted software releases. With that in mind, it’s important to assess whether your organization is set up to handle the continuous expansion of the open-source ecosystem and an ever-growing array of tools to incorporate into your …
2023 was a big year. There were many interesting challenges and exciting developments within our industry, like the continued evolution of AI/ML, the discovery and remediation of widespread CVEs, and major leaps forward in the realm of end-to-end software supply chain security. In that spirit, we want to recap the news and articles that you …
UPDATE: Following the announcement at swampUP 2023, JFrog Curation now features a web user interface for its Catalog database service. This enables JFrog customers to search and explore over 4 million open-source packages for their up-to-date metadata including its versions, install command, dependencies, vulnerabilities (including any transitive ones), license types, OpenSSF aggregate score, and any …
For anyone involved in software development, the “infinity loop” is synonymous with DevOps — and rightfully so. We know that software is rarely in a static state for very long. Continuous updates are required to meet the demands of users and to deliver more value, faster than the competition. You might be wondering: Out of …
The RSA Conference 2023 addressed several key issues and trends in the cybersecurity industry. Generative AI was a key topic of discussion, with attendees, executives and policymakers seeing its potential in both offense and defense in the cybersecurity arms race. The White House’s National Cybersecurity Strategy was also a topic of conversation across panels and …
Analyzing Impala Stealer – Payload of the first NuGet attack campaign In this blog post, we’ll provide a detailed analysis of a malicious payload we’ve dubbed “Impala Stealer”, a custom crypto stealer which was used as the payload for the NuGet malicious packages campaign we’ve exposed in our previous post. The sophisticated campaign targeted .NET …
Update 2023-03-21 – We’ve talked with members of the NuGet team and they had already detected and removed the malicious packages in question. Malicious packages are often spread by the open source NPM and PyPI package repositories, with few other repositories affected. Specifically – there was no public evidence of severe malicious activity in the …
Software is more than building code. Developing software and ensuring quality builds requires managing a complete software supply chain. With the many security threats across the supply chain, managing each and every aspect of the software you deliver to your customers, including the entire process of how it was made, is critical to your organization. …
With security now a critical “must have” for DevOps teams, JFrog significantly deepened and extended our platform’s already solid security capabilities in 2021. In this post, we’ll look back at our major advances last year – and look forward at what’s to come in 2022. Our goal: To explain how we’re providing to our customers …
The JFrog Security research team continuously monitors popular open source software (OSS) repositories with our automated tooling, and reports any vulnerabilities or malicious packages discovered to repository maintainers and the wider community. Most recently we disclosed 11 malicious packages in the PyPI repository, a discovery that shows attacks are getting more sophisticated in their approach. …
