Welcome to the JFrog Blog

Latest:

CVE-2025-55182 and CVE-2025-66478 (“React2Shell”) – All you need to know

December 5, 2025 JFrog Security Research Team

5 min read

JFrog continues to track and provide updates on React2Shell at research.jfrog.com. What happened A critical React vulnerability - CVE-2025-55182 (and the corresponding CVE-2025-66478 in Next.js) was published by the React maintainers. The vulnerability was named "React2Shell" by the original researcher as it leads to arbitrary code execution by remote (possibly unauthenticated) attackers. A remote attacker could craft a…

Read More

All Blogs

PyTorch Users at Risk: Unveiling 3 Zero-Day PickleScan Vulnerabilities

PyTorch Users at Risk: Unveiling 3 Zero-Day PickleScan Vulnerabilities

December 2, 2025 David Cohen, JFrog Senior Security Researcher | 14 min read

AI Model Scanning as the First Layer of Security JFrog Security Research found 3 zero-day critical vulnerabilities in PickleScan, which would allow attackers to bypass the most popular Pickle model scanning tool. PickleScan is a widely used, industry-standard tool for scanning ML models and ensuring they contain no malicious content. Each discovered vulnerability enables attackers…
Read More
Shai-Hulud npm supply chain attack – new compromised packages detected

Shai-Hulud npm supply chain attack – new compromised packages detected

November 24, 2025 Andrey Polkovnichenko, JFrog Security Researcher | 9 min read

IMPORTANT UPDATE:  Shai-Hulud Returns  (Nov 24, 2025) JFrog continues to track, provide research and document another wave of the Shai-Hulud Software Supply Chain Attack. Following the initial campaign, threat actors have returned with more advanced tactics, compromising an additional 796 new malicious packages across leading public registries. This new wave exhibits several key differences from…
Read More
Securing Vibe Coding: JFrog Introduces AI-Generated Code Validation

Securing Vibe Coding: JFrog Introduces AI-Generated Code Validation

November 13, 2025 Jacqueline Basil, JFrog Product Marketing Manager, Security | 5 min read

A fundamental shift in software development is already here. Gartner predicts that by 2028, 75% of enterprise software engineers will use AI code assistants - a massive leap from less than 10% in early 2023. While this AI-driven speed creates a competitive advantage, it also opens a dangerous new front in the battle for software…
Read More
The Security Imperative: Trust, Speed, and Integral Defense

The Security Imperative: Trust, Speed, and Integral Defense

November 11, 2025 The JFrog Team | 10 min read

The systemic nature of software supply chain attacks is growing more complex, creating a critical tension between speed and security. The Israeli National Cyber Directorate’s (INCD) recent "Breaking the Chain" report validates that the most significant threats live outside your first-party code, highlighting a crisis of trust in the open-source-software (OSS) supply chain. While the…
Read More
Critical RCE Vulnerability CVE-2025-11953 Puts React Native Developers at Risk

Critical RCE Vulnerability CVE-2025-11953 Puts React Native Developers at Risk

November 4, 2025 Or Peles, JFrog Senior Security Researcher | 12 min read

The JFrog Security Research team recently discovered and disclosed CVE-2025-11953 - a critical (CVSS 9.8) security vulnerability affecting the extremely popular @react-native-community/cli NPM package that has approximately 2M weekly downloads. The vulnerability allows remote unauthenticated attackers to easily trigger arbitrary OS command execution on the machine running react-native-community/cli’s development server, posing a significant risk to…
Read More
JFrog & GitHub: Unifying the Software Supply Chain, One Step at a Time… and Our 2025 GitHub Technology Partner Award

JFrog & GitHub: Unifying the Software Supply Chain, One Step at a Time… and Our 2025 GitHub Technology Partner Award

October 28, 2025 Paul Garden, JFrog Partner and Industry Solutions | 6 min read

Organizations increasingly demand platforms that not only accelerate software delivery but also provide trust, security, and traceability. At JFrog, the software supply chain is managed and secured by default, from commit to runtime. That’s why our deep integration with GitHub is central to how we help teams manage, monitor, and secure every step of software…
Read More
CVE-2025-6515 Prompt Hijacking Attack – How Session Hijacking Affects MCP Ecosystems

CVE-2025-6515 Prompt Hijacking Attack – How Session Hijacking Affects MCP Ecosystems

October 21, 2025 Ori Hollander, JFrog Security Researcher Ofri Ouzan, JFrog Security Researcher | 10 min read

JFrog Security Research recently discovered and disclosed multiple CVEs in oatpp-mcp - the Oat++ framework’s implementation of Anthropic’s Model Context Protocol (MCP) standard. Among these, CVE-2025-6515 stood out due to its potential threat of hijacking MCP session IDs. Within the context of MCP we’ve dubbed this new attack technique "Prompt Hijacking". Your browser does not…
Read More
JFrog AppTrust: A Technical Deep Dive into Building a Trusted Software Supply Chain

JFrog AppTrust: A Technical Deep Dive into Building a Trusted Software Supply Chain

October 16, 2025 Jacqueline Basil, JFrog Product Marketing Manager, Security | 7 min read

Software supply chains have grown more complex as software delivery accelerates across more teams, technologies and environments. While the pace of releases continues to increase, the ability to manage these releases has not accelerated correspondingly. Developers and development operations are now firmly in the spotlight, as new regulations demand clear, auditable proof that every stage…
Read More
Don’t Guess What to Scan: Runtime Scope Ensures Full Production Coverage

Don’t Guess What to Scan: Runtime Scope Ensures Full Production Coverage

October 15, 2025 Ariel Antoni, JFrog Senior Product Manager | 5 min read

Are you confident that you’re scanning for security vulnerabilities on all your software running in production? If this question makes you uncomfortable don’t worry. First, you’re not alone. Second - keep reading. Almost all security teams today face a massive challenge: they’re drowning in data but lack direction. They have an overwhelming amount of code…
Read More
Shifting Security ‘Lefter’ Than Left Is The Key To Avoiding Risky Packages

Shifting Security ‘Lefter’ Than Left Is The Key To Avoiding Risky Packages

September 19, 2025 Asaf Karas, JFrog CTO & SVP Security | 4 min read

As the AI revolution accelerates, developers are being inundated with a dazzling array of new software packages and game-changing tools such as GitHub CoPilot, Sourcegraph, Qodo, Cursor, Goose, and others that promise incredible advances in productivity and impact. The excitement over this is high and just keeps on growing. Cyberattackers share equally in this excitement;…
Read More

Popular Tags