The JFrog Security research team continuously monitors popular open source software (OSS) repositories with our automated tooling to report vulnerable and malicious packages to repository maintainers. Earlier this year we disclosed several malicious packages targeting developers’ private data that were downloaded approximately 30K times.

JFrog security research team (formerly Vdoo) has recently disclosed a code injection issue in one of the utilities shipped with Tensorflow, a popular Machine Learning platform that’s widely used in the industry. The issue has been assigned to CVE-2021-41228. This disclosure is hot on the heels of our previous, similar disclosure in Yamale which you can read about in our previous blog post.

Embedded devices with limited memory and storage resources are likely to leverage a tool such as BusyBox, which is marketed as the Swiss Army Knife of embedded Linux. BusyBox is a software suite of many useful Unix utilities, known as applets, that are packaged as a single executable file. Within BusyBox you can find a full-fledged shell, a DHCP client/server, and small utilities such as cp, ls, grep, and others.