Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Organizations increasingly demand platforms that not only accelerate software delivery but also provide trust, security, and traceability. At JFrog, the software supply chain is managed and secured by default, from commit to runtime. That’s why our deep integration with GitHub is central to how we help teams manage, monitor, and secure every step of software delivery. In this post, we’ll explore.

This user quote, captured on Reddit, underscores the real-world consequence of cloud outages: when it happens, the world stops. As your organization scales, you often make strategic decisions to centralize your workloads, whether it’s meeting strict regulatory requirements that demand data locality, or minimizing latency for compute-heavy applications. The true challenge isn’t deciding which cloud vendor to go with; it’s mitigating the risk of a single point of failure.

We’re excited to announce that Gartner has named JFrog a ‘Visionary’ in the 2025 Magic QuadrantTM for Application Security Testing. We believe this reflects JFrog’s forward thinking strategy of integrating application security seamlessly throughout the entire software development lifecycle in ways that help organizations deliver their most secure, trusted applications without impacting developers’ productivity.

JFrog Security Research recently discovered and disclosed multiple CVEs in oatpp-mcp – the Oat++ framework’s implementation of Anthropic’s Model Context Protocol (MCP) standard. Among these, CVE-2025-6515 stood out due to its potential threat of hijacking MCP session IDs. Within the context of MCP we’ve dubbed this new attack technique “Prompt Hijacking“. Your browser does not support the video tag.

Software supply chains have grown more complex as software delivery accelerates across more teams, technologies and environments. While the pace of releases continues to increase, the ability to manage these releases has not accelerated correspondingly. Developers and development operations are now firmly in the spotlight, as new regulations demand clear, auditable proof that every stage of the software lifecycle, from coding to production is secure and compliant.

Are you confident that you’re scanning for security vulnerabilities on all your software running in production? If this question makes you uncomfortable don’t worry. First, you’re not alone. Second – keep reading. Almost all security teams today face a massive challenge: they’re drowning in data but lack direction.

In the race to secure today’s ever-expanding attack surface, many companies have made a practice of using a mix of tools to monitor, assess, and remediate threats. This practice has resulted in a fragmented and chaotic landscape of security solutions across several teams, increasing complexity and forcing companies to have a reactive vs. proactive security posture.

As the AI revolution accelerates, developers are being inundated with a dazzling array of new software packages and game-changing tools such as GitHub CoPilot, Sourcegraph, Qodo, Cursor, Goose, and others that promise incredible advances in productivity and impact. The excitement over this is high and just keeps on growing.

And that’s a wrap! Held in beautiful Napa Valley, swampUP 2025, JFrog’s annual customer conference brought together developers, operations, security, compliance, and AI/ML leaders – all facing the same burning challenges posed by the AI-driven quantum shift in software delivery. In the keynotes, breakout sessions, and side-conversations over wine and coffee, a common theme was made clear: a unified Software Supply Chain platform is essential to thrive in the new reality.

JFrog Security Research recently discovered and disclosed multiple CVEs in the highly popular Chaos engineering platform – Chaos-Mesh. The discovered CVEs, which we’ve named Chaotic Deputy are CVE-2025-59358, CVE-2025-59360, CVE-2025-59361 and CVE-2025-59359. The last three Chaotic Deputy CVEs are critical severity (CVSS 9.8) vulnerabilities which can be easily exploited by in-cluster attackers to run arbitrary code on any pod in the cluster, even in the default configuration of Chaos-Mesh.