Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

JFrog Security Research recently discovered and disclosed a critical vulnerability in FFmpeg, the world’s most widely deployed media processing framework. The discovered vulnerability, which we’ve named PixelSmash, is CVE-2026-8461 – a heap out-of-bounds write in the MagicYUV decoder (CVSS 8.8 High). We escalated this vulnerability from a simple crash all the way to reliable remote code execution – all it takes is processing a single malicious media file.

It’s official. Gartner just published the very first Gartner Magic Quadrant for Software Supply Chain Security, and JFrog has been recognized as a Leader, placing highest for Ability to Execute among all the vendors included. For an inaugural report in a category this important, that placement means a great deal to us, and we don’t take it lightly.

For years, installing an npm package has meant trusting that every package in the dependency tree will behave as expected. Whether code originated from the npm registry, a Git repository, a remote URL, or an installation script buried deep within a transitive dependency, npm would typically execute or retrieve it automatically during the installation process.

A new CVE drops into a package you depend on. With the JFrog power for Kiro installed, your next move is a single prompt in your IDE, not a tab switch to the JFrog UI and thirty minutes of hand-rolled REST calls. This is what governed agentic development looks like in practice.

Last June, we hosted the first EveryOps Day in Sydney – born from the convergence of DevOps, DevSecOps, and AI/MLOps we were witnessing across every industry in APAC. A year later, with AI’s proliferation across software delivery and security, we took EveryOps Day to Mumbai on May 15, then embarked on the EveryOps Tour: a series of invitation-only executive events across Canberra, Sydney, and Melbourne.

Picture two realities for the same compliance control reaching production. Reality One: Your AppSec team writes a new rule. An engineer uses Claude Code or Cursor to generate the OPA (Open Policy Agent) Rego policy in minutes. They deploy it. It blocks a legitimate release on a missing context variable, and the on-call engineer routes around the gate to ship the code. The AI gave them fast code — but not code they could trust.

In a landscape where executive teams demand immediate AI integration, engineering and security leaders find themselves navigating a complex operational balancing act. To explore how organizations can accelerate delivery pipelines without introducing fatal security risks, JFrog recently hosted a virtual panel discussion titled “Agentic Software Delivery in 2026.

AI coding agents are changing the pace of software development. With tools like Claude Code, developers can move from idea to implementation faster than ever, generating code, exploring unfamiliar repositories, refactoring services, and turning plain-language intent into working software. That speed is powerful. But speed without governance = risk. It also creates a new challenge: how can you govern what an AI agent builds, suggests, and pulls in from the internet?

NVIDIA NIM (NVIDIA Inference Microservices) packages production-ready AI models into optimized containers for enterprise deployment. Your developers need them. Your coding agents pull them. And until now, they pulled them directly from NVIDIA’s NGC registry, bypassing the supply chain controls you’ve spent years building. JFrog AI Catalog now brings NVIDIA NIM models under the same governance as every other artifact in your organization, with no separate registry and no governance gap.

JFrog is one of the first Software Supply Chain Management and Security Platforms to provide MCP functionality, which we have now opened up to anyone interested in trying Claude and Cursor in their own development environment. Doing a free trial is one of the best ways to see how JFrog integrates with your developers, operations and security.