🚨 SECURITY ALERT 🚨
A new supply chain attack has been detected. A Shai Hulud worm variant dubbed "Alright Lets See If This Works" has hijacked 20 LeoPlatform npm packages, including "leo-logger", which impacts over 3.5K weekly downloads.
Audit your dependencies immediately. Full analysis and mitigation details will be live soon on our blog: https://t.co/dDYb74DYyE
#AI has changed how software is built, and how fast it can be attacked. In our 2026 Software Supply Chain Security State of the Union, we found:
📈 Malicious npm packages surged 451%
🤖 Injection vulnerabilities spiked 3,110%
⏱️ 48% of organizations need 1+ week to generate proof for a compliance audit
The AI Governance gap is real - In other words the gap between reported security confidence and actual coverage is wider than most teams realize and the 2026 data shows exactly where.
Read the full report to find out where your defenses stand: https://t.co/SnjEwVLDho
#DevGovOps #DevSecOps #SoftwareSupplyChain #Cybersecurity #AppSec
🚨Supply Chain SECURITY ALERT: "niagA oG eW ereH :duluH-iahS" 🔄
The Shai-Hulud supply chain attack has slithered into the @antv ecosystem, affecting more than 600 package releases . A compromised maintainer account was used to inject credential-stealing code into popular visualization and React packages (including echarts-for-react), threatening millions of weekly downloads. JFrog Curation customers using an Immaturity policy were fully protected from this attack, as all of the hijacked packages were flagged in less than 24 hours.
See our blog for a full analysis of this attack, including an ongoing list of compromised packages (link shared soon in this thread).
Speed without trust is just the Dark Side in disguise.
May the 4th be with you - and may your binaries be with you, too. ✨
AI agents are shipping code faster than ever. Which means your artifact repo isn't storage — it's your last line of defense.
With JFrog, every package is versioned. Every model traceable. One source of truth.
Get started today: https://t.co/rVWFujEzbE
#MayThe4thBeWithYou #DevSecOps #AI #JFrogForce #SoftwareSupplyChain
The Checkmarx TeamPCP campaign has now spread to npm! Package @bitwarden/cli (78K weekly downloads) v2026.4.0 steals GitHub/npm tokens, .ssh, .env, shell history, GitHub Actions and cloud secrets, then exfiltrates the data to private domains & as GitHub commits
Payload looks very similar to the attack discovered yesterday by Docker, which affected Checkmarx docker images & VSCode extensions
More details in this thread shortly 🧵
מכל הדברים שקרו פה במהלך העשור המחורבן הזה, הדבר העצוב ביותר הוא ההסתגלות לכרסום השיטתי והזוחל בחירויות יסוד.
חופש התנועה. חופש המחאה. הזכות לחינוך.
נתניהו, סמכותני מאי פעם, רודה בציבור עייף ומבולבל, שמרוב מהלומות שנחתו עליו לא הספיק לעבד אף אחת מהן, מהקורונה ועד להפיכת לוין-רוטמן, מהטבח ועד לאיראן.
הקצב הזה משרת היטב את דוקטרינת ההלם שלו: להביא את הציבור למצב של תשישות וקהות חושים, כך שיוותר מרצון על זכויותיו תמורת הבטחה לביטחון, שכמובן לא תתממש לעולם.
בינתיים נתניהו לא מבזבז זמן. נאמניו מהדקים את לפיתתם בכוחות הביטחון. הוא חולש על מנגנון תעמולה ורטיקלי ומסועף שראשו ברגולטור וסופו בזוטר שבשופרות ערוץ 14. וכעת הוא נערך לקראת המפץ הגדול מול בג"ץ, החפיר המוסדי האחרון שעוד מגן על זכויות האזרח בישראל.
טימותי סניידר, היסטוריון אמריקאי שחקר במשך שנים משטרים טוטליטריים, ניסח את הלקח בפשטות: "אל תצייתו מראש". רוב כוחה של העריצות, כתב, ניתן לה מרצון.
🚨 CERT-EU Confirms Trivy Supply Chain Attack Led to European Commission AWS Breach The European Commission got breached not because of bad code…
but because a trusted tool was compromised Trivy 😫
Attackers used it inside CI/CD to steal AWS keys 340GB data leaked 70+ entities affected
bottom line: It’s not about finding vulnerabilities anymore It’s about controlling what gets into your org. If you still pull directly from public sources you’re just hoping.
🚨If you're using #npm - stop what you're doing and read this 👇
#ICYMI: The axios npm package has been hijacked. Versions 1.14.1 and 0.30.4 contain a malicious dependency (plain-crypto-js) that deploys a Remote Access Trojan.
The @JFrogSecurity team has analyzed this sophisticated, ongoing supply chain attack, and with 300M weekly downloads, the scale of risk is significant. Remediation guidance here: https://t.co/seMOZgkxFb
Defending against npm supply chain attacks comes down to two principles:
1. Don't rely on education, enforce policy.
2. Don't slow developers down, make it frictionless. If your current guidance is "don't upgrade" or "pin your versions" then you're already in reactive mode.
JFrog Curation provides both - Link in comments.
If an AI agent can run it, you should be able to govern it. 🛡️
Today, we’re thrilled to announce the JFrog MCP Registry, the system of record for the AI driven and agentic #SoftwareSupplyChain.
By treating #MCP servers as software artifacts, we’re enabling platform teams to proactively block malicious tools before they ever enter the organization without slowing down innovation velocity.
🚀 Read the full press release here: https://t.co/8ScLxzLWq4
#GenerativeAI #DevSecOps #AI #SystemOfRecord #SingleSourceofTruth
This Women’s History Month, we’re highlighting the importance of taking up space in every corner of the tech industry. 👋🏼
In bridging the gap between complex technical systems and human potential, Moran Dahan, Director of Customer Training, understands that the goal is to ensure everyone has the tools they need to thrive.
Ready to take your place in the next generation of tech leaders?
🔥 Register for our Women in DevSecOps webinar and learn how to lead the way: https://t.co/mx6YHQGWAK
#IWD2026 #GiveToGain #WomenInTech #WomensHistoryMonth #Enablement
David Robin, Senior Solution Engineer at Frog, is taking taking the mic at @KubeCon_ Europe 2026. 🎤
Blocking malicious packages usually means breaking the build, but David is ready to show you a better way!
Join us in Amsterdam to hear "Stop React2Shell & Shai Hulud: Live Demo of Curation with Compliant Version Selection" at the Demo Theatre.
📅 Tuesday 24th March | 🕒 14:30
If you're ready to advance your #SDLC, then book 1:1 time with us at #KubeCon: https://t.co/rAQ7XpIRfL
#KubeCon #DevOps
🎉 Exciting news: JFrog has officially earned the @Microsoft Solutions Partner with certified software designation for Azure.
This milestone is a testament to our commitment to providing secure, optimized #DevSecOps solutions, ensuring organizations can manage their Azure software supply chain with absolute confidence and trust.
Want to know what this means for your #DevOps workflows?
Check out our latest blog to learn more: https://t.co/EGBQL5hzLk
#Azure #MicrosoftPartner #SoftwareSupplyChain #CloudNative
Most #DevSecOps teams aren’t struggling to find vulnerabilities. They’re struggling to find the dependencies hiding inside highly customized, complex build environments. 🔎
Join JFrog's own Yonatan Arbel and @Adyen's DevSecOps Specialist, Supun Vidana Pathiranage, to learn how they cracked the code on visibility at scale.
What you’ll walk away with:
✅ The architecture Adyen used to decouple dependency resolution from their core build system.
✅ A roadmap for integrating custom pipelines with JFrog Xray without disrupting developer workflows.
✅ How to turn raw scan results into "The Battlestar Framework".
Stop drowning in false positives and start scaling visibility. Register today: https://t.co/ZfQtO6PzmM
#DevSecOps #AppSec #SoftwareSupplyChain #PlatformEngineering
From the "S1ngularity" attack to the "Shai-Hulud" worm, attackers are moving away from stealing secrets and toward hijacking CI workflows. If they run the code in your pipeline, they own the release.
JFrog’s new AI-research bot, RepoHunter, just proactively identified 13 major vulnerabilities.
Learn how we're helping hunt for vulnerabilities to keep software safe: https://t.co/LnAtRDXrNa
#ShaiHulud #DevSecOps #AI #CICD
The JFrog Security Research team has discovered 13 vulnerabilities in GitHub repositories using “RepoHunter”, an AI-research bot with the findings saving global technology infrastructure and billions of users from downloading Shai-Hulud style exploitations.
Learn how we're helping hunt for vulnerabilities to keep software safe: https://t.co/qVSzosXR2r
#ShaiHulud #DevSecOps #AI #CICD
Our Security Research team analyzed 1.5M models in the hunt for malicious ML Models. What did they find?
😱 3x increase in total models
🚨 6x increase in malicious models
^All in just 1 year!
Mirroring the historical trend of compromised third-party software packages, malicious machine learning models on Hugging Face are experiencing explosive growth, often executing harmful code the moment they are loaded, well before any inference occurs.
Stay up to date on our latest security research: https://t.co/1XcHjRr69E
#MLModels #AISecurity
🛡️Critical vulnerabilities in n8n could allow attackers to bypass sandboxes and execute remote code.
If you use n8n for business orchestration, get the breakdown on:
👉🏽 Exactly which versions are affected (JavaScript & Python engines)
👉🏽 How to secure your self-hosted or cloud instances immediately.
Learn more: https://t.co/A3DxP3btmP
#CyberSecurity #n8n #InfoSec
Is 'Shadow AI' lurking in your organization?
Our a 5-step guide to help you detect and eliminate these hidden threats, ensuring you maintain proper AI governance and protect your data.
Unsanctioned use of #AI tools poses significant #security risks and compliance challenges that many teams overlook. Learn more about #ShadowAI: https://t.co/hJ2P8E6s23