Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Picture this: You’ve just settled in at home after a long day, ready to relax, when suddenly your phone buzzes. It’s a notification about a failed build in your latest project. Your heart sinks. Your mind starts racing to connect the dots… What went wrong? Where is it broken? There’s usually no one immediately available to answer these questions, and you know it will require a large manual effort to get to the bottom of the issue.

When it comes to software supply chain security, we all do everything we can to prevent insecure software from being released into production. Hence we see software supply chain security shifting left to discover potential threats as early as possible in the software development lifecycle. But what happens when vulnerabilities are only discovered after an application has been distributed to its operating environment?

JFrog’s security research team continuously monitors open-source software registries, proactively identifying and addressing potential malware and vulnerability threats to foster a secure and reliable ecosystem for open-source software development and deployment. This blog details a PyPI supply chain attack technique the JFrog research team discovered had been recently exploited in the wild.

NOTE: This research was recently presented at Black Hat USA 2024, under the title “From MLOps to MLOops – Exposing the Attack Surface of Machine Learning Platforms”. The JFrog Security Research team recently dedicated its efforts to exploring the various attacks that could be mounted on open source machine learning (MLOps) platforms used inside organizational networks.

During 2023, the U.S. witnessed a record high in supply chain cyber-attacks, affecting 2,769 organizations. This figure represents the largest number recorded since 2017, marking an approximate 58% annual increase in impacted entities. If there ever was a doubt, now it’s crystal clear that YOUR SOFTWARE SUPPLY CHAIN IS A TARGET. Developers, DevOps and Security teams must prioritize processes that enhance security for all phases of the software supply chain.

On Sunday, June 2nd 2024, a fix commit was pushed for a vulnerability in GNU’s popular Wget tool. Two weeks later, the vulnerability was assigned the ID CVE-2024-38428 and later was classified as a critical vulnerability – with a CVSS score of 9.1. In this blog, we take a dive deep into this threat by seeing what caused it, what consequences it might have, and how it can be mitigated.

According to Gartner, almost two-thirds of U.S. businesses were directly impacted by a software supply chain attack. So it’s not a question of whether to secure your software supply chain, but rather what is the most effective and efficient way to provide end-to-end security during all phases of the software development lifecycle (SDLC). Download the Ebook.

The JFrog Security Research team has recently discovered and reported a leaked access token with administrator access to Python’s, PyPI’s and Python Software Foundation’s GitHub repositories, which was leaked in a public Docker container hosted on Docker Hub.

In the rapidly evolving fields of large language models (LLMs) and machine learning, new frameworks and applications emerge daily, pushing the boundaries of these technologies. While exploring libraries and frameworks that leverage LLMs for user-facing applications, we came across the Vanna.AI library – which offers a text-to-SQL interface for users – where we discovered CVE-2024-5565, a remote code execution vulnerability via prompt injection techniques.

Developers simply want to write code without interruption, while operations wish to build as fast as possible and deploy without restrictions. On the other hand, security professionals want to protect every step of the software supply chain from any potential security threats and vulnerabilities. In software development, every piece of code can potentially introduce vulnerabilities into the software supply chain.