JFrog Security

🚨 CVE-2026-22732 - new critical CVE in spring-security. Under certain configurations of spring security, HTTP security headers are not written. Not in NVD yet, but fixes are published. Update spring-security-web to 6.5.9 or 7.0.4 spring.io/security/cve-2…

CVE-2026-32746 was assigned to this issue. No fix published yet.

PSA - Incoming Pre-Auth RCE in inetutils telnetd. Global buffer overflow. No CVE / fix yet. RCE proven, although real world cases would need ASLR bypass. If you are running telnetd (why??) please take note lists.gnu.org/archive/html/b…

🚨Our research team uncovered Cipher Infostealer, masquerading as a 'Solara executor' via malicious NPM packages. This stealer targets Discord tokens, browser credentials, & crypto wallets, bypassing static AV with embedded, obfuscated JS. Read the comprehensive research here: research.jfrog.com/post/solara-ci… #Malware #SecurityResearch

Our security researchers have officially unmasked "GhostClaw". Discover the inner workings of this malware and how to stay protected in our latest post. Full report: research.jfrog.com/post/ghostclaw…

🚨 The JFrog Security research team has uncovered "OmniCogg" a malicious skill on ClawHub that exposes a massive blind spot in current security scanners. By hiding an RCE dropper, it bypassed VirusTotal and ClawDex to harvest developer credentials. Read the full technical breakdown: research.jfrog.com/post/omnicogg-…

From the "S1ngularity" attack to the "Shai-Hulud" worm, attackers are moving away from stealing secrets and toward hijacking CI workflows. If they run the code in your pipeline, they own the release. JFrog’s new AI-research bot, RepoHunter, just proactively identified 13 major vulnerabilities. Learn how we're helping hunt for vulnerabilities to keep software safe: bit.ly/46HgipI #ShaiHulud #DevSecOps #AI #CICD

AI for code security doesn't eliminate risk, but instead it shifts it. 🔄 Validated code is great, but the binary is what actually runs and determines your risk. It's time to stop focusing solely on code review and start governing the entire release lifecycle. From prompt to production, JFrog Co‑founder & CTO Yoav Landman explains why #SoftwareSupplyChain security is now a game of binary-level governance: jfrog.co/4aBJeSu #AI #DevGovOps #DevOps

🚨The JFrog Security research team has identified a LIVE malicious npm package. This package masquerades as a legitimate ESLint utility while deploying a sophisticated, multi-stage infection chain targeting macOS and Linux environments. Full analysis & remediation steps: research.jfrog.com/post/three-sta… #NPM #Malware #SecurityResearch #Infosec

🚨 JFrog Security research team identified 'duer-js' on NPM, a sophisticated 'bada stealer' infostealer. It uses multi-stage obfuscation, bypasses Discord 2FA to steal credentials & payments, and targets browser/crypto wallets. Uninstalling the package is NOT enough. Full analysis & remediation steps: research.jfrog.com/post/duer-js-m… #NPM #Malware #SecurityResearch #Infosec

Hi @TheHackersNews, it's important to note a broader scope of malicious activity. While the current discussion references 5 malicious packages, our analysis at JFrog identified and detailed a total of 11 related packages in this campaign. This discovery was initially announced via a tweet from the JFrog Security research team @JFrogSecurity x.com/JFrogSecurity/… We encourage the public and the security community to review our comprehensive research and the complete list of packages in our blog post, "Breaking AppSec Myths: The Obfuscated Packages." jfrog.com/blog/breaking-…

🧑‍💻💻 North Korean operatives are using real LinkedIn accounts to land remote IT jobs in Western firms. With impersonated profiles and verified emails, DPRK actors secure roles to fund weapons programs and conduct espionage—some gain admin access, steal data, and maintain persistence. 🔍 Read the full investigation → thehackernews.com/2026/02/dprk-o…

The JFrog security team is tracking CVE-2026-25646, and a contextual analysis scanner is already available for JFrog Advanced Security customers -

Exploitation is possible if an application calls libpng's `png_set_quantize()` or `png_set_dither()` functions with the following arguments - 1. `png` points to an attacker-supplied PNG image 2. `maximum_colors` is set to less than half the palette size 3. `histogram` is set to NULL Full technical writeup - github.com/pnggroup/libpn…

🚨 CVE-2026-25646 - a new high-severity CVE in LibPNG with RCE potential has been published! The vulnerability exists in libpng versions going 30 (!) years back and was patched in version 1.6.55. While no public RCE exploits have been published yet, heap buffer overflows are highly likely to be exploitable for RCE 🧵

Two severe vulnerabilities in @n8n_io could allow an authenticated attacker to escape sandboxing mechanisms and execute arbitrary code, reported @JFrogSecurity. #cybersecurity #infosec #CISO bit.ly/4q4VOhu

🔗 Full technical analysis: research.jfrog.com/post/potential…

⚡ Potentially Critical RCE Vulnerability in OpenSSL - CVE-2025-15467 ⚡ The JFrog Security Research team is tracking a newly disclosed OpenSSL stack overflow vulnerability rated as High by OpenSSL, that may lead to remote code execution (RCE). This vulnerability was patched with other 11 moderate and low severity vulnerabilities. The stack overflow can be triggered by sending a crafted CMS AuthEnvelopedData message with malicious AEAD parameters. While no official CVSS score has been assigned yet, based on its characteristics, we assess it may be rated at least High or even Critical by NVD. Our team reproduced the issue by invoking the CMS_decrypt API directly, confirming that OpenSSL applications parsing untrusted CMS data via this API are vulnerable. Exploitation is also possible when using the `openssl cms` CLI to decrypt untrusted input. A contextual analysis scanner for this CVE is now available for JFrog Advanced Security customers:

🚨New #Security Research: Our researchers disclosed two RCE vulnerabilities (Critical 9.9 & High 8.5) affecting n8n’s expression engine and Python nodes. These escapes prove how tricky sandboxing can be, so make sure to update your versions ASAP. Get the details: bit.ly/4pYxA8v #n8n #Python #Javascript