July 15, 2024 at 01:06PM Cybersecurity researchers found a leaked GitHub token that could have enabled elevated access to Python repositories. JFrog discovered the token in a public Docker container and immediately revoked it after disclosure. Checkmarx also uncovered malicious packages on PyPI designed to extract sensitive information to a Telegram bot. No evidence shows … Read more
April 30, 2024 at 05:02PM Docker removed 3 million imageless public repositories from Docker Hub following a discovery by JFrog researchers. The repositories were found to contain links to malicious websites. JFrog highlighted the need for increased moderation on the platform. The attackers exploited a policy loophole that allowed them to include links in description … Read more
April 30, 2024 at 01:33PM JFrog researchers discovered large-scale malicious campaigns targeting Docker Hub, where 3.2 million repositories hosted spam, malware, and phishing content. Analyzing three years of activity, they identified 4.6 million imageless repositories, with 2.9 million used in the campaigns. The repositories were unusable but contained malicious payloads, including trojans and scams. All … Read more
March 21, 2024 at 10:52AM Researchers at JFrog have uncovered over 800 npm registry packages with discrepancies from their registry entries, 18 of which exploit a technique called manifest confusion. This technique can trick developers into running malicious code by supplying a different manifest with hidden dependencies during installation. They stress the importance of verifying … Read more
March 4, 2024 at 04:54AM Security researchers have discovered around 100 malicious AI/ML models on the Hugging Face platform. These models pose a significant security threat, potentially allowing attackers to gain control over machines, leading to data breaches and corporate espionage. Furthermore, researchers have developed techniques to manipulate large-language models (LLMs) for harmful purposes, demonstrating … Read more
October 12, 2023 at 09:57AM A malicious package named Pathoschild.Stardew.Mod.Build.Config has been found on the NuGet package manager. It delivers a remote access trojan called SeroXen RAT. The package is a typosquat of a legitimate package and has artificially inflated its download count to over 100,000. The profile behind the package has published six other … Read more