Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Development teams are shipping faster than ever. Generative AI coding assistants, early agentic workflows, and increasingly modular architectures have compressed the distance between concept and deployment. AI-enabled innovation has become an executive mandate, and teams are expected to deliver at speed without sacrificing security or compliance.

Imagine your lead Software Engineer walks into your office and says, “Good news! I just deployed that critical update to production. I wrote the code on my personal laptop, didn’t run it through CI/CD, skipped the security scan, and just copied the files directly to the server with a USB drive.” You would fire them. Or you would revoke their access immediately.

Recent incidents have proven that Continuous Integration (CI) workflows are the new battleground for software supply chain attacks. Security Pitfalls in GitHub Actions workflows, such as the unsanitized use of pull request (PR) data, can allow attackers to execute malicious code during CI runs with devastating consequences.

The race to adopt AI agents has created a massive, unmonitored blind spot in the enterprise software supply chain. At the heart of this revolution is the Model Context Protocol (MCP) – an open connectivity standard designed to move AI models (LLMs) out of their passive “chat box” and give them direct active access to your company’s internal systems.

Listen to a NotebookLM podcast version of the blog: When Anthropic announced Claude Code’s new security scanning capabilities, following the announcement of OpenAI’s Aardvark, it marked an important moment for the industry. For the first time, expert-level security review is becoming embedded directly into the act of writing code. Subtle, context-dependent vulnerabilities can now be flagged as they are created. Zero-days can potentially be remediated before they ever make it into a build.

If you’ve been managing Red Hat-based systems as long as I have, yum install is likely hardcoded into your muscle memory. For decades, YUM (Yellowdog Updater, Modified) served as the backbone of RPM Linux-based distributions, getting us through countless server setups and late-night patches. But the era of YUM is officially over. With RHEL 9, Fedora, and Rocky Linux fully embracing DNF, YUM has moved from “reliable veteran” to “legacy technical debt.”

Every CVE starts as a vulnerability claim, but not every claim ends in agreement. Between researchers racing to disclose vulnerabilities, and open-source maintainers guarding the stability and reputation of their projects, a gray zone appears where “vulnerability” becomes a matter of debate. This is the story of many disputed CVEs. Where “vulnerability” is rarely a yes-or-no answer.

As part of the JFrog Security Research team’s ongoing work, we continuously monitor newly published packages across multiple ecosystems for malicious activity. This effort serves the broader open source community through public research disclosures, and it directly impacts the detection capabilities behind JFrog Xray and JFrog Curation. Our scanning pipeline uses a broad set of indicators to detect suspicious behavior.