JFrog Security

1.6K posts

JFrog Security banner
JFrog Security

JFrog Security

@JFrogSecurity

The JFrog Security Research Team empowers developers and companies to excel by identifying, prioritizing, and mitigating software risks.

USA / Israel Katılım Kasım 2017
309 Takip Edilen5.4K Takipçiler
JFrog Security
JFrog Security@JFrogSecurity·
🚨 The Miasma worm has returned to npm! Four AsyncAPI packages were recently compromised to deliver the new Miasma v3 variant. Read our full technical analysis: research.jfrog.com/post/miasma-wo…
JFrog Security@JFrogSecurity

🚨 NPM SUPPLY CHAIN ATTACK ALERT 🚨 For the second time, packages in the AsyncAPI ecosystem have been compromised. After being targeted by the massive "Shai-Hulud: The Second Coming" worm attack, @asyncapi/generator (100k weekly downloads) and its sub-packages have been poisoned again. @asyncapi/generator (3.3.1) @asyncapi/generator-helpers (1.1.1) @asyncapi/generator-components (0.7.1) Check your build pipelines and dependencies immediately! 🛡️

English
1
9
10
1.3K
JFrog Security
JFrog Security@JFrogSecurity·
🚨 NPM SUPPLY CHAIN ATTACK ALERT 🚨 For the second time, packages in the AsyncAPI ecosystem have been compromised. After being targeted by the massive "Shai-Hulud: The Second Coming" worm attack, @asyncapi/generator (100k weekly downloads) and its sub-packages have been poisoned again. @asyncapi/generator (3.3.1) @asyncapi/generator-helpers (1.1.1) @asyncapi/generator-components (0.7.1) Check your build pipelines and dependencies immediately! 🛡️
English
1
11
23
4.3K
JFrog Security
JFrog Security@JFrogSecurity·
⚠️ Students visiting "Riverbend Tutoring" to bypass school Wi-Fi and play games didn't realize their browsers were being conscripted into a DDoS botnet. We deobfuscated a massive campaign of 150+ npm packages (under names like charlie-kirk and ilovefemboys) acting as a free CDN for malicious student web proxies. Our deep-dive recovered active payloads: a mutable remote loader and a custom Wisp-protocol WebSocket generator that attacked a nursing school's website at 2MB/s per visitor. How the Lucide campaign weaponized student proxies: research.jfrog.com/post/lucide-pr…
English
1
7
33
45K
JFrog Security
JFrog Security@JFrogSecurity·
🚨SUPPLY CHAIN ALERT The official jscrambler npm package (15K weekly downloads) has been hijacked! Version 8.14.0 includes a malicious preinstall script that drops a hidden Rust binary disguised as a .js file on Windows, macOS, and Linux. The payload is a highly evasive credential and crypto-wallet stealer, featuring advanced anti-analysis tools and kernel-level eBPF instrumentation. If you installed v8.14.0, consider your system compromised. Immediately rotate all of your credentials! XRAY-1025905
English
1
18
44
328K
JFrog Security
JFrog Security@JFrogSecurity·
JFrog Xray customers can check for impact using the following IDs - XRAY-1024734 XRAY-1024741 XRAY-1024740 XRAY-1024736 XRAY-1024733 XRAY-1024751 XRAY-1024748 XRAY-1024735 XRAY-1024745 XRAY-1024749 XRAY-1024737 XRAY-1024747 XRAY-1024744 XRAY-1024746 XRAY-1024739 XRAY-1024743 XRAY-1024742 XRAY-1024738
Filipino
0
1
1
366
JFrog Security
JFrog Security@JFrogSecurity·
Current compromised packages list (compromised version is 1.20.21) - @injectivelabs/sdk-ts @injectivelabs/utils @injectivelabs/networks @injectivelabs/ts-types @injectivelabs/exceptions @injectivelabs/wallet-base @injectivelabs/wallet-core @injectivelabs/wallet-cosmos @injectivelabs/wallet-private-key @injectivelabs/wallet-evm @injectivelabs/wallet-trezor @injectivelabs/wallet-cosmostation @injectivelabs/wallet-ledger @injectivelabs/wallet-wallet-connect @injectivelabs/wallet-magic @injectivelabs/wallet-strategy @injectivelabs/wallet-turnkey @injectivelabs/wallet-cosmos-strategy
English
2
1
3
592
JFrog Security
JFrog Security@JFrogSecurity·
JFrog Security Research is tracking the ongoing npm malicious package campaign affecting the Injective SDK, currently comprised of 17 hijacked packages. The malicious packages contain an infostealer payload, specifically targeting wallet private keys. 🧵
English
1
4
8
1.7K
JFrog Security
JFrog Security@JFrogSecurity·
A consistent crash surely would have been noticed by the relevant curl users. So what’s the risk? ❌ No request tampering ❌ No attacker-controlled memory corruption ❌ No remote trigger The original Low severity rating is a much better reflection of the real-world risk.
English
0
1
2
293
JFrog Security
JFrog Security@JFrogSecurity·
CISA upgraded the original "LOW" score assigned by the Curl team, even though security impact is only client-side availability. The vulnerability causes a consistent client crash, regardless of external input.
English
1
1
3
411
JFrog Security
JFrog Security@JFrogSecurity·
🚨 Overhyped vulnerability of the week: Severity inflation in Curl CVE-2026-10536 (Critical 9.8 CVSS, but no security impact). Can a vulnerability truly be critical if it just causes a client crash, regardless of external input? 🧵
English
1
4
11
2K
JFrog Security
JFrog Security@JFrogSecurity·
🚨 18 Curl CVEs just jumped from Low/Medium to High/Critical overnight. This week, CISA upgraded all recently disclosed Curl CVEs, overriding the original severity ratings from the Curl team. JFrog Security Research analyzed all 18 vulnerabilities and found that they are either extremely difficult to exploit or have limited real-world impact. Our assessment: the original Low/Medium severity ratings were a better reflection of the actual risk.
English
0
7
15
2.3K
Solar Designer
Solar Designer@solardiz·
@JFrogSecurity Can you please bring this to oss-security, preferably with actual detail right in the posting (but do include the blog link as well). Thank you!
English
1
1
2
347
JFrog Security
JFrog Security@JFrogSecurity·
🚨 Successful PoC for Linux Kernel CVE-2026-43503 (DirtyFrag variant) 🚨 JFrog researchers successfully developed a privilege escalation exploit for CVE-2026-43503, a newly discovered DirtyFrag variant we dubbed "DirtyClone". The vulnerability was patched and merged into mainline Linux on May 21 (v7.1-rc5, commit 9e171fc1d7d7). Make sure your systems are up to date. Read the full technical writeup: research.jfrog.com/post/dissectin…
GIF
English
7
67
217
24.5K
JFrog Security
JFrog Security@JFrogSecurity·
🚨 Multiple recent Axios CVEs aren't as severe as they seem. JFrog researchers found that some Prototype Pollution gadget vulnerabilities in Axios are scored based on the impact of an already-compromised application, even though exploitation requires a separate Prototype Pollution vulnerability (as you can see in this PoC). Read our blog (in the first comment) to understand why context matters more than the score.
GIF
English
1
8
26
1.9K
JFrog Security
JFrog Security@JFrogSecurity·
🚨 Lazarus-linked npm malware is masquerading as widely used Rollup polyfills (~295K weekly downloads) Bypassing standard detection with no obvious install-script triggers, the threat actors wait until import-time to pull a multi-stage payload built for broad file collection, crypto wallet theft, and full interactive remote access. Read the full breakdown in our blog post (link in the thread)
English
2
12
32
12.7K