

JFrog
18.3K posts

@jfrog
Driven by a “Liquid Software” vision, the JFrog Software Supply Chain Platform powers organizations to build, manage, and distribute software quickly & securely





























🚨 NPM SUPPLY CHAIN ATTACK ALERT 🚨 For the second time, packages in the AsyncAPI ecosystem have been compromised. After being targeted by the massive "Shai-Hulud: The Second Coming" worm attack, @asyncapi/generator (100k weekly downloads) and its sub-packages have been poisoned again. @asyncapi/generator (3.3.1) @asyncapi/generator-helpers (1.1.1) @asyncapi/generator-components (0.7.1) Check your build pipelines and dependencies immediately! 🛡️








🚨SUPPLY CHAIN ALERT The official jscrambler npm package (15K weekly downloads) has been hijacked! Version 8.14.0 includes a malicious preinstall script that drops a hidden Rust binary disguised as a .js file on Windows, macOS, and Linux. The payload is a highly evasive credential and crypto-wallet stealer, featuring advanced anti-analysis tools and kernel-level eBPF instrumentation. If you installed v8.14.0, consider your system compromised. Immediately rotate all of your credentials! XRAY-1025905



