Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

JFrog

jfrog

Detecting Malicious Packages and How They Obfuscate Their Malicious Code

Wow! We made it to the last post in our Malicious Packages series. While parting is such sweet sorrow, we hope blogs one, two, and three provide insights into the havoc malicious packages cause throughout your DevOps and DevSecOps pipelines. In the prior posts: Now let’s get to know attackers’ other, more discreet interests when creating a malicious package: hiding malicious code, and finally showing how malicious packages can be detected and prevented.

jfrog

Latest LastPass security breach highlights developers as a high-value target

Last August, the maintainers of the LastPass cloud-based password manager tool reported a security breach in their servers. The disclosure maintained that an unauthorized party gained access to the LastPass development environment through a single compromised developer account. However – while source code and technical information was stolen, no user data was compromised and no services were interrupted. This specific statement about user data was reiterated many times.

jfrog

What's in your build? Building Images in OpenShift with Artifactory and JFrog CLI

Red Hat OpenShift is an enterprise Kubernetes container platform. It lets you build Docker images and use them to deploy your applications on a cloud-like environment (even if it’s not really on the cloud, rather a simulated cloud environment). Images built in OpenShift can be easily pushed into JFrog Artifactory – JFrog’s leading universal repository manager.

jfrog

Invisible npm malware - evading security checks with crafted versions

The npm CLI has a very convenient and well-known security feature – when installing an npm package, the CLI checks the package and all of its dependencies for well-known vulnerabilities – The check is triggered on package installation (when running npm install) but can also be triggered manually by running npm audit. This is an important security measure that warns developers against using packages with known vulnerabilities.

jfrog

Turns out 78% of reported CVEs on top DockerHub images are not really exploitable

Similarly to our previous research on “Secrets Detection,” during the development and testing of JFrog Xray’s new “Contextual Analysis” feature, we wanted to test our detection in a large-scale real-world use case, both for eliminating bugs and testing the real-world viability of our current solution.

jfrog

Common Payloads Attackers Plant in Malicious Software Packages

In this third post in our series on Malicious Software Packages, we’ll focus on the aftermath of a successful attack and how the attacker executes payloads to serve their needs through various real-life scenarios. Before we start, let’s review a few highlights from the second post you might’ve missed: Now, let’s get to blog three in the series.

jfrog

JFrog's security scanners discovered thousands of publicly exposed API tokens - and they're active! The Full Report

Note: This report was previously published in InfoWorld When developing the recently announced JFrog Advanced Security, our Research team decided to try out its new “Secrets Detection” feature. Our goal was to test our vulnerability detection on as much real world data as possible, to make sure we eliminate false positives and catch any bugs in our code.