JFrog Security Real Time Posts

Critical CVSS 10 vulnerabilities CVE-2025-55182 and CVE-2025-66478 lead to remote code execution in React-based web applications.

Shai-Hulud remediation guide

Shai-Hulud ongoing attack resurfaced for a second wave, compromising more than 630 packages so far

The JFrog Security Team has identified a two-component cryptocurrency stealer in the NPM repository, cleverly disguised as a benign-looking package to avoid detection.

Our team found and reported crypto packages that delivered known malware via a dependency, with a total of nearly 2K downloads

Our team found a malicious cluster of about 80,000 self-replicating malware packages in the NPM registry. This report details the capabilities of the campaign and motivation behind it.

JFrog Security Research team found five fake cryptography packages in npm that contained backdoor code

Our research team found 3 malicious MCP servers with a total of 1.6K downloads, all containing the exact same payload - A reverse shell to hardcoded address.

Our team found a package exhibiting malware-like behaviour, that may pose a threat to organizational security. Even though promising some of the capabilities up front, we suspected the package, which led us to investigate further. This report details its persistence mechanisms, network reconnaissance capabilities, and multiple deployment vectors shown in the different versions evolution of the package.

The JFrog Security Resrarch team found that the Critical CVE-2025-53101 has additional, more concerning vulnerable commands in the package that had not been published.