appsec.fyi · Sources

jfrog.com

7 curated AppSec resources from jfrog.com across 5 topics on appsec.fyi.

jfrog.com

Resources curated from this publisher and indexed across appsec.fyi topic pages. Last item added: 2026-06-08.

Supply Chain 4 AI 2 Deser 1 Python 1 RCE 1
Date Added Resource Excerpt
2026-06-08 2026Introducing Package Traffic Controller: Software Supply Chain Security at the Network EdgeSupply ChainThis content introduces "Package Traffic Controller," a tool designed to enhance software supply chain security at the network edge. It addresses vulnerabilities even when existing security measures like artifact repositories and package source policies are in place. The tool aims to prevent compromises by acting as a network-level safeguard, implying it can detect and block malicious packages that might slip through traditional defenses. The summary focuses on the problem it solves and its position in the security architecture, without mentioning a specific bounty payout.
2026-06-08 2026Trusted AI Adoption (Part 2): DetectionAIThis excerpt from "Trusted AI Adoption (Part 2): Detection" highlights a critical challenge in AI security. Despite seemingly stable systems and familiar assets, a production deployment failure signals a hidden issue. The incident occurs after automated agents and security dashboards show no anomalies. The audit failure points to a problem within the build process itself, referencing an unspecified element that deviated from the approved Model Context Protocol (MCP) and established AI assets, leading to an unexpected production deploy failure.
2026-06-08 2026NVIDIA NIM Models Are Now Governed Assets in Your Supply ChainAISupply ChainNVIDIA NIM models, essential for enterprise AI deployment, are now becoming part of the software supply chain. Previously, developers and agents pulled these models directly from NVIDIA's registry, bypassing existing supply chain controls. JFrog AI Catalog aims to integrate NVIDIA NIM models into established supply chain governance frameworks, ensuring better control and security.
2026-04-22 2026Shai-Hulud npm Supply Chain Attack: New Compromised Packages DetectedSupply ChainWriteup on the Shai-Hulud npm supply chain attack details a significant wave of compromised packages, including new variations and obfuscation techniques. Threat actors are targeting popular npm packages to steal credentials from GitHub, NPM, AWS, GCP, and Azure, then exfiltrating this data by creating encoded repositories. The attack utilizes a data-stealer payload bundled within Webpack applications, often disguised as system optimization tools, and employs utilities like TruffleHog to gather secrets.
2026-04-16 2026Dissecting and Exploiting CVE-2025-62507: RCE in RedisRCEWriteup of CVE-2025-62507, a stack buffer overflow in Redis's XACKDEL command, details how an attacker can trigger this vulnerability by providing an excessive number of stream IDs. This overflow allows for overwriting the return address on the stack, potentially leading to remote code execution, especially in unauthenticated Redis instances. The analysis demonstrates exploiting this flaw by crashing the server with carefully crafted commands, revealing the path to weaponized exploits.
2026-04-11 2026XZ Backdoor CVE-2024-3094 - JFrogSupply ChainAnalysis of CVE-2024-3094 details a sophisticated supply chain attack on XZ Utils, versions 5.6.0 and 5.6.1, which allowed unauthorized remote SSH access. The malicious payload, injected into the OpenSSH server (SSHD), modified decryption routines using ChaCha20 and Ed448 signatures to enable attackers with a specific private key to execute arbitrary commands or bypass authentication. The article outlines detection methods, remediation steps including downgrading and system restarts, and a kill switch, along with JFrog OSS tools for vulnerability scanning.
2026-04-10 2026PyTorch Users at Risk: 3 Zero-Day PickleScan Vulnerabilities | JFrogDeserPythonLibrary for detecting vulnerabilities in PyTorch models. JFrog Security Research discovered three zero-day vulnerabilities in PickleScan, the industry-standard tool for scanning pickle-based models. These bypasses, including CVE-2025-10155, allow attackers to embed undetected malicious code within PyTorch models, leading to potential supply chain attacks. PickleScan's reliance on file extension checks over content analysis, and its blacklist approach, create these exploitable gaps.