Update 2023-03-21 โ Weโve talked with members of the NuGet team and they had already detected and removed the malicious packages in question. Malicious packages are often spread by the open source NPM and PyPI package repositories, with few other repositories affected. Specifically โ there was no public evidence of severe malicious activity in the โฆ
Software is more than building code. Developing software and ensuring quality builds requires managing a complete software supply chain. With the many security threats across the supply chain, managing each and every aspect of the software you deliver to your customers, including the entire process of how it was made, is critical to your organization. โฆ
The JFrog Security research team continuously monitors popular open source software (OSS) repositories with our automated tooling, and reports any vulnerabilities or malicious packages discovered to repository maintainers and the wider community. Most recently we disclosed 11 malicious packages in the PyPI repository, a discovery that shows attacks are getting more sophisticated in their approach. โฆ
Software supply chains are mission-critical for digital businesses, and as global conditions accelerate the growth in contactless interactions and transactions, many organizations are reviewing how to solve the challenge of scaling the volume and velocity of their software development and release processes to meet the digital demand. The latest JFrog Platform release delivers a rich โฆ
Recently, a novel supply chain attack was published by security researcher Alex Birsan, detailing how dependency confusion (or โnamesquattingโ) in package managers can be misused in order to execute malicious code on production and development systems. Background โ dependency confusion & Birsanโs attack In short, most package managers such as pip and npm do not โฆ
In a recent supply chain security assessment, the JFrog security research team (formerly Vdoo) analyzed multiple networking devices for security vulnerabilities and exposures. During the analysis we discovered and responsibly disclosed six major vulnerabilities in Realtekโs RTL8195A Wi-Fi module that these devices were based on. An attacker that exploits the discovered vulnerabilities can gain remote โฆ
