IMPORTANT UPDATE: React2Shell Continues to Attack Cloud Infrastructure (Dec 9th, 2025) JFrog Security Research continues to track the React2Shell vulnerability. Recent developments include the original POC from the researcher who found this vulnerability. This POC shows the simplicity of exploiting this CVE and reflects the real severity and impact of this CVE. (Dec 12th, 2025) …
In my previous posts, we discussed the where and the how of managing your ML assets. We showed you how JFrog Artifactory acts as a powerful, universal model registry (the “where”) and how the FrogML SDK serves as the gateway to get your models and metadata into it (the “how”). Now, let’s talk about the …
Amazon Elastic Kubernetes Service (Amazon EKS) is a fully managed, compliant Kubernetes service that simplifies running, managing, and scaling containerized applications. EKS automatically handles the availability and scalability of the Kubernetes control plane, allowing teams of any size or skill level to focus on building and deploying production-ready applications across diverse environments, including AWS, on-premises, …
AI Model Scanning as the First Layer of Security JFrog Security Research found 3 zero-day critical vulnerabilities in PickleScan, which would allow attackers to bypass the most popular Pickle model scanning tool. PickleScan is a widely used, industry-standard tool for scanning ML models and ensuring they contain no malicious content. Each discovered vulnerability enables attackers …
IMPORTANT UPDATE: Shai-Hulud Returns (Nov 24, 2025) JFrog continues to track, provide research and document another wave of the Shai-Hulud Software Supply Chain Attack. Following the initial campaign, threat actors have returned with more advanced tactics, compromising an additional 796 new malicious packages across leading public registries. This new wave exhibits several key differences from …
It’s well-known that Databricks is a world-class platform for data engineering and ML experimentation. Yet, for most organizations, the challenge isn’t building models; it’s the complex journey from a model in a notebook to a secure, governed, and production-ready application. In this blog, we’ll show you how integrating the JFrog Platform with Databricks bridges that …
A fundamental shift in software development is already here. Gartner predicts that by 2028, 75% of enterprise software engineers will use AI code assistants – a massive leap from less than 10% in early 2023. While this AI-driven speed creates a competitive advantage, it also opens a dangerous new front in the battle for software …
When we first introduced the JFrog AI Catalog, it was our mission to provide the industry with a single system of record for governing the complex landscape of internal, open-source, and external commercial AI models. This foundational step was critical for enterprises to move from uncontrolled innovation to delivering AI with trust and confidence. However, …
The systemic nature of software supply chain attacks is growing more complex, creating a critical tension between speed and security. The Israeli National Cyber Directorate’s (INCD) recent “Breaking the Chain” report validates that the most significant threats live outside your first-party code, highlighting a crisis of trust in the open-source-software (OSS) supply chain. While the …
The JFrog Security Research team recently discovered and disclosed CVE-2025-11953 – a critical (CVSS 9.8) security vulnerability affecting the extremely popular @react-native-community/cli NPM package that has approximately 2M weekly downloads. The vulnerability allows remote unauthenticated attackers to easily trigger arbitrary OS command execution on the machine running react-native-community/cli’s development server, posing a significant risk to …
