Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

(Nov 24, 2025) JFrog continues to track, provide research and document another wave of the Shai-Hulud Software Supply Chain Attack which was originally reported by the JFrog Security Research team on 16-Sep-2025. Following the initial campaign, threat actors have returned with more advanced tactics, compromising an additional 796 new malicious packages across leading public registries.

The systemic nature of software supply chain attacks is growing more complex, creating a critical tension between speed and security. The Israeli National Cyber Directorate’s (INCD) recent “Breaking the Chain” report validates that the most significant threats live outside your first-party code, highlighting a crisis of trust in the open-source-software (OSS) supply chain.

The JFrog Security Research team recently discovered and disclosed CVE-2025-11953 – a critical (CVSS 9.8) security vulnerability affecting the extremely popular @react-native-community/cli NPM package that has approximately 2M weekly downloads. The vulnerability allows remote unauthenticated attackers to easily trigger arbitrary OS command execution on the machine running react-native-community/cli’s development server, posing a significant risk to developers.

Organizations increasingly demand platforms that not only accelerate software delivery but also provide trust, security, and traceability. At JFrog, the software supply chain is managed and secured by default, from commit to runtime. That’s why our deep integration with GitHub is central to how we help teams manage, monitor, and secure every step of software delivery. In this post, we’ll explore.

This user quote, captured on Reddit, underscores the real-world consequence of cloud outages: when it happens, the world stops. As your organization scales, you often make strategic decisions to centralize your workloads, whether it’s meeting strict regulatory requirements that demand data locality, or minimizing latency for compute-heavy applications. The true challenge isn’t deciding which cloud vendor to go with; it’s mitigating the risk of a single point of failure.

We’re excited to announce that Gartner has named JFrog a ‘Visionary’ in the 2025 Magic QuadrantTM for Application Security Testing. We believe this reflects JFrog’s forward thinking strategy of integrating application security seamlessly throughout the entire software development lifecycle in ways that help organizations deliver their most secure, trusted applications without impacting developers’ productivity.

JFrog Security Research recently discovered and disclosed multiple CVEs in oatpp-mcp – the Oat++ framework’s implementation of Anthropic’s Model Context Protocol (MCP) standard. Among these, CVE-2025-6515 stood out due to its potential threat of hijacking MCP session IDs. Within the context of MCP we’ve dubbed this new attack technique “Prompt Hijacking“. Your browser does not support the video tag.

Software supply chains have grown more complex as software delivery accelerates across more teams, technologies and environments. While the pace of releases continues to increase, the ability to manage these releases has not accelerated correspondingly. Developers and development operations are now firmly in the spotlight, as new regulations demand clear, auditable proof that every stage of the software lifecycle, from coding to production is secure and compliant.

Are you confident that you’re scanning for security vulnerabilities on all your software running in production? If this question makes you uncomfortable don’t worry. First, you’re not alone. Second – keep reading. Almost all security teams today face a massive challenge: they’re drowning in data but lack direction.