Welcome to the JFrog Blog

Latest:

FrogML SDK: the Gateway to Model Governance

August 19, 2025 Rami Pinku, Senior Product Manager, JFrog ML

5 min read

Data-driven decisions are critical. And to support high-stakes decision-making – from fraud detection in credit card transactions to demand forecasting in retail – organizations are increasingly relying on complex models. According to McKinsey, 78% of organizations report using AI in at least one business function, highlighting just how embedded AI and ML models have become…

Read More

All Blogs

Still Trusting Automated Patches Blindly? Think Again

Still Trusting Automated Patches Blindly? Think Again

July 23, 2025 Yonatan Arbel, JFrog Developer Advocate | 4 min read

The Breach: A High-Impact Compromise JounQin’s npm account, the maintainer of popular packages such as eslint-config-prettier, was compromised in a phishing attack. The attackers used the breached credentials to publish six malicious versions of eslint-config-prettier, along with three additional infected packages tied to the same account. In total, the compromised packages see roughly 78 million…
Read More
The UK’s New Software Security Code of Practice and How JFrog Can Help

The UK’s New Software Security Code of Practice and How JFrog Can Help

July 16, 2025 Dafna Zahger Bernanka, JFrog Director of Product Marketing, Security | 8 min read

The UK government has taken a proactive step by recently releasing the Software Security Code of Practice, a vital framework aimed at strengthening the cybersecurity posture of organizations that develop and sell software. This code outlines essential practices and principles, guiding companies to enhance their software security throughout the development lifecycle, from initial design to…
Read More
How to Optimize DevSecOps Workflows Using JFrog

How to Optimize DevSecOps Workflows Using JFrog

July 15, 2025 Pranav Hegde, Tech Lead, JFrog | 9 min read

Embedding security within the Software Development Life Cycle (SDLC) is no longer just a best practice; it’s a full-on necessity. DevSecOps extends the DevOps model by making security a shared responsibility from the earliest stages of development. Today’s enterprises require this kind of integrated approach to streamline workflows from development to deployment. The JFrog Platform…
Read More
Critical RCE Vulnerability in mcp-remote: CVE-2025-6514 Threatens LLM Clients

Critical RCE Vulnerability in mcp-remote: CVE-2025-6514 Threatens LLM Clients

July 9, 2025 Or Peles, JFrog Senior Security Researcher | 12 min read

The JFrog Security Research team has recently discovered and disclosed CVE-2025-6514 - a critical (CVSS 9.6) security vulnerability in the mcp-remote project - a popular tool used by Model Context Protocol clients. The vulnerability allows attackers to trigger arbitrary OS command execution on the machine running mcp-remote when it initiates a connection to an untrusted…
Read More
Why Cloudsmith Is a Risk You Can’t Afford: A Wake-Up Call on Superficial Software Supply Chain Security

Why Cloudsmith Is a Risk You Can’t Afford: A Wake-Up Call on Superficial Software Supply Chain Security

June 24, 2025 The JFrog Security Research Team | 25 min read

On the surface, some tools market DevSecOps capabilities as part of their software supply chain solution. Still, DevOps and Security teams who dig deeper into these tools will quickly spot some red flags, including: Packaging Competitor's Open Source as an Enterprise solution: Selling a paid “security” solution that’s little more than a thin UI layer…
Read More
Multi-Stage Malware Attack on PyPI: Malicious Package Threatens Chimera Sandbox Users

Multi-Stage Malware Attack on PyPI: Malicious Package Threatens Chimera Sandbox Users

June 10, 2025 Guy Korolevski, JFrog Security Researcher | 8 min read

Update 25/06/2025: After the publication of our blog, JFrog was contacted by a security team and was informed that the PyPI package was published as part of an internal security audit - "The PyPI package was not created with malicious intent and users were not targeted by unknown threat actors, the purpose of this simulation…
Read More
RSAC 2025 Recap: Software Supply Chain Security Takes Center Stage

RSAC 2025 Recap: Software Supply Chain Security Takes Center Stage

May 12, 2025 Paul Davis, Field CISO | 5 min read

The RSA Conference 2025 at the Moscone Center in San Francisco on April 28 - May 1, brought together over 44,000 cybersecurity professionals from around the world. This year's event, marking the 34th annual flagship conference, placed significant emphasis on software supply chain security and secure software development lifecycle (SDLC) practices. From the keynotes, speaking…
Read More
A Vulnerable Future: MITRE’s Close Call in CVE Management

A Vulnerable Future: MITRE’s Close Call in CVE Management

April 23, 2025 Ofri Ouzan, JFrog Security Researcher Jonathan Sar Shalom, JFrog Director of Threat Research | 16 min read

Last week, one of the biggest concerns in the cybersecurity industry created a crisis that was avoided at the last minute. On April 16th, 2025, the MITRE Corporation announced:  “The current contracting pathway for MITRE to develop, operate, and modernize CVE and several other related programs, such as CWE, will expire.” Official letter from MITRE…
Read More
Now Available: Smart Archiving with the JFrog Platform

Now Available: Smart Archiving with the JFrog Platform

April 23, 2025 Sean Pratt, Senior Manager, Product Marketing, JFrog | 5 min read

Every day development teams around the world release new software. But what happens to prior releases that are no longer in production? Most organizations save them, typically due to internal policies, external regulations, or simply the fear of losing data. Organizations typically take varied approaches to retaining their prior releases. Some use a dedicated repository…
Read More

Popular Tags