JFrog Security Research

JFrog Security Real Time Posts

Last Updated On 12 Mar, 2026

Cipher Infostealer masquerades as Solara executor - Malware analysis

Guy Korolevski and Meitar Palas, JFrog Security Researchers

The JFrog security research team recently encountered 2 malicious packages on the NPM ecosystem, delivering via Dropbox links a windows executable. While checking these files in VirusTotal shows almost no Anti Virus (AV) results that flag it, the behavior analysis showed suspicious activity, leading us to dive in.

Published on 12 Mar, 2026

Real Time Post

GhostClaw Unmasked: A Malicious npm Package Impersonating OpenClaw to Steal Everything

Meitar Palas, JFrog Security Researcher

The JFrog Security research team has identified a malicious npm package named @openclaw-ai/openclawai. This package masquerades as a legitimate CLI tool called "OpenClaw Installer" while deploying a multi-stage infection chain that steals system credentials, browser data, crypto wallets, SSH keys, Apple Keychain databases, iMessage history, and more

Published on 8 Mar, 2026

Real Time Post

Anatomy of a Deception: Uncovering the 'omnicogg' Dropper in ClawHub

David Cohen, JFrog Security Researcher

The JFrog Security Team has identified a malicious OpenClaw skill named omnicogg hosted on ClawHub that uses a 22MB padded README to hide a base64-encoded RCE dropper, bypassing VirusTotal, ClawDex, and ClawHub's own scanner to harvest developer credentials.

Published on 6 Mar, 2026

Real Time Post

pull_request_target Exploitation - Part 1

Barak Haryati, Senior Director of Product Security at JFrog

Our research team found multiple vulnerabilities in OSS CI workflows, in this blog we cover the “Test-Based Execution” exploitation pattern.

Published on 5 Mar, 2026

Real Time Post

pull_request_target Exploitation - Part 2

Barak Haryati, Senior Director of Product Security at JFrog

Our research team found multiple vulnerabilities in OSS CI workflows, in this blog we cover the “Build-Scripts and Installer-Based Execution” exploitation pattern.

Published on 5 Mar, 2026

Real Time Post

pull_request_target Exploitation - Part 3

Barak Haryati, Senior Director of Product Security at JFrog

Our research team found multiple vulnerabilities in OSS CI workflows, in this blog we cover the “Branch and Config Injection” exploitation pattern.

Published on 5 Mar, 2026

Real Time Post

Three Stages Deep: A Malicious npm Package Delivering a Full-Featured macOS RAT

Meitar Palas, JFrog Security Researcher

The JFrog Security Team has identified a malicious npm package named eslint-verify-plugin that deploys a sophisticated multi-stage infection chain, ultimately delivering a full-featured Mythic/Apfell macOS RAT capable of credential theft, screen capture, and backdoor account creation.

Published on 18 Feb, 2026

Real Time Post

How a Complex Multi Payload Infostealer Hid in NPM Disguised as 'Console Visibility'

Guy Korolevski, JFrog Security Researcher

The JFrog security research team recently uncovered a sophisticated malicious package called "duer-js" published on NPM by the user "luizaearlyx". After complex analysis, the package was identified as an advanced windows targeted information stealer, self-named as “bada stealer”. The package remains active as of this publication.

Published on 11 Feb, 2026

Real Time Post

Potentially Critical RCE Vulnerability in OpenSSL - CVE-2025-15467

Ofri Ouzan, JFrog Security Researcher

The JFrog Security Research team is tracking a newly disclosed OpenSSL vulnerability, CVE-2025-15467, a stack overflow issue that may lead to remote code execution (RCE).

Published on 28 Jan, 2026

Real Time Post

Achieving Remote Code Execution on n8n Via Sandbox Escape - CVE-2026-1470 & CVE-2026-0863

Nathan Nehorai, JFrog Security Researcher

Our research team discovered and disclosed two vulnerabilities in n8n’s sandbox mechanism leading to remote code execution.

Published on 27 Jan, 2026