Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Unlock the Power of Agents with JFrog's Skills and MCP Tools

Agents are writing code, suggesting dependencies, and reviewing PRs, without any knowledge about your trusted package sources, security posture, or governance policies. When agents operate without supply chain context, they introduce risk, create rework, and weaken the guardrails DevSecOps teams rely on to ship with confidence. JFrog is changing that.

How to Bring Predictability to Tech Supply Chain Disruptions

The global technology sector loses approximately $16 billion annually to supply chain issues and logistics disruptions. For IT decision-makers and business leaders, this staggering figure represents delayed projects, compromised business continuity, and frustrated downstream customers. The hardware and components necessary to modernize and protect enterprise environments are increasingly vulnerable to all types of global friction.

How We're Securing Our Own Supply Chain

Building a supply chain security company comes with an uncomfortable truth: our remediated packages run inside our customers' production environments. A compromise on our end is a compromise on theirs. We take that responsibility seriously. I want to pull back the curtain on how we actually secure our own supply chain - from the code we write, to the artifacts we deliver, to the infrastructure that holds it all together. ‍

The AI Supply Chain is Actually an API Supply Chain: Lessons from the LiteLLM Breach

The recent supply chain attack involving Mercor and the LiteLLM vulnerability serves as a massive wake-up call for enterprise security teams. While the security industry has spent the last year fixating on prompt injections and model jailbreaks, this breach highlights a far more systemic vulnerability. The weakest link in enterprise AI is not necessarily the model itself. It is the middleware connecting the models to your data.

Spring 2026 Threat Research: Key Trends in Software Supply Chain Security

The software supply chain continues to face escalating threats, with malicious actors targeting developers and organizations at an unprecedented scale. In our Spring 2026 Threat Research Review, we analyze the latest trends, uncover alarming statistics, and highlight the evolving tactics used by attackers. From dependency injection attacks to the rise of typosquatting, this report provides a comprehensive look at the threats shaping the software ecosystem.

Hunting Supply Chain Attacks with Jared Myers, Director, CrowdStrike OverWatch

Supply chain attacks targeting AI have recently been making headlines — and keeping the CrowdStrike OverWatch team busy. Jared Myers, director of CrowdStrike OverWatch, joins Adam in this episode to discuss his team’s approach to detecting and responding to these attacks.

You Can't Patch Your Supply Chain So Why Treat It Like a Vulnerability Problem?

For years, vulnerability management has followed a familiar pattern: discover assets, scan for CVEs, prioritize by severity, and remediate what you can. That model works, at least within the boundaries of systems you own. The problem is that most organizations no longer operate within those boundaries. Federal agencies especially depend on a complex ecosystem of SaaS platforms, software vendors, contractors, and open-source components.

Breaking Down the Axios Supply Chain Attack

Apr 2, 2026 Mastering Software Supply Chain Management in 2026 Read More Natalie Tischler Mar 31, 2026 Why Security Debt Should Be a Board-Level Priority Read More Natalie Tischler Mar 26, 2026 Prioritize, Protect, Prove: A Roadmap for Application Security Transformation Read More Natalie Tischler.

Mastering Software Supply Chain Management in 2026

Engineering teams face a dual mandate: ship high-quality features faster and keep the underlying infrastructure secure. As development velocity increases, so does the complexity of the tools, libraries, and third-party components that make up your applications. Software Supply Chain Management is the discipline of securing these interconnected components.

Axios npm package compromise: What happened, what matters, and how to respond

Attackers carried out a supply chain compromise by abusing a compromised npm maintainer account to publish malicious Axios versions (axios@1.14.1 and axios@0.30.4). These releases introduced an unexpected dependency, plain-crypto-js@4.2.1, which attempted platform-specific malware execution via an npm lifecycle script during installation on Windows, macOS, and Linux.