The Software Extinction Event That Wasn’t

Note: This blog post was previously published on DevOps.com Imagine if the world’s most pervasive programming language, used in the majority of organizations, services, websites and infrastructure today, was itself made to be malicious? Cybersecurity researchers from JFrog recently discovered a GitHub Personal Access Token in a public Docker container… due to the popularity of …

PyPI Leaked Token in Binary

Binary secret scanning helped us prevent (what might have been) the worst supply chain attack you can imagine

The JFrog Security Research team has recently discovered and reported a leaked access token with administrator access to Python’s, PyPI’s and Python Software Foundation’s GitHub repositories, which was leaked in a public Docker container hosted on Docker Hub. As a community service, the JFrog Security Research team continuously scans public repositories such as Docker Hub, …

Contextual Analysis for Python, Java, and JavaScript with JFrog Frogbot

Contextual Analysis for Python, Java, and JavaScript Projects with JFrog Frogbot

When scanning packages, CVE (Common Vulnerabilities and Exposures) scanners can find thousands of vulnerabilities. This leaves developers with the painstaking task of sifting through long lists of vulnerabilities to identify the relevance of each, only to find that many vulnerabilities don’t affect their artifacts at all. Vulnerability Contextual Analysis uses the artifact context to eliminate …

Python Package Index (PyPi)

Python wheel-jacking in supply chain attacks

Recently, a novel supply chain attack was published by security researcher Alex Birsan, detailing how dependency confusion (or “namesquatting“) in package managers can be misused in order to execute malicious code on production and development systems. Background – dependency confusion & Birsan’s attack In short, most package managers such as pip and npm do not …