#software-supply-chain

#software-supply-chain

According to software supply chain security company Socket, the packages were published in 2023 and 2024 by a user named " shanhai666" and are designed to run malicious code after specific trigger dates in August 2027 and November 2028. The packages were collectively downloaded 9,488 times. "The most dangerous package, Sharp7Extend, targets industrial PLCs with dual sabotage mechanisms: immediate random process termination and silent write failures that begin 30-90 minutes after installation, affecting safety-critical systems in manufacturing environments," security researcher Kush Pandya said.

"A leaked VSCode Marketplace or Open VSX PAT [personal access token] allows an attacker to directly distribute a malicious extension update across the entire install base," Wiz security researcher Rami McCarthy said in a report shared with The Hacker News. "An attacker who discovered this issue would have been able to directly distribute malware to the cumulative 150,000 install base."

The report found that 68% of security leaders are concerned about the risks of third-party software tools and components introduced across their tech stacks. Seventy-three percent reported receiving at least one notification of a software supply chain vulnerability or incident in the past year. According to the report, 60% believe attackers are evolving too quickly to maintain a truly resilient security posture and 46% are uneasy about AI-driven features and large language models.

A coalition of heavyweight open source foundations issued a joint statement via the foundation on Tuesday, declaring that "open infrastructure is not free" and warning that the critical machinery behind modern software development is being stretched to breaking point. Package registries like Maven Central, PyPI, crates.io, npm, and Packagist handle billions of downloads every month, yet the organizations running them are often scraping by on donations, grants, and the goodwill of a few sponsors.

One of the highlights Levi pointed to was AppTrust, JFrog's initiative to establish end-to-end trust across the software supply chain. By unifying governance, risk, and compliance capabilities into a single framework, AppTrust is designed to give enterprises more confidence that applications are secure and reliable from development through deployment. The goal is to tie disparate security and verification processes into one cohesive approach that simplifies how organizations enforce trust at scale.

JFrog has introduced JFrog Fly, an offering the company describes as a zero-config, "agentic repository" for accelerating AI-driven software development. Introduced September 9, JFrog Fly is intended to support agentic workflows for development teams. AI agents orchestrate artifacts across the software life cycle, enabling developers to focus on delivering software to production with speed and scale, according to JFrog. Developers can join a beta waitlist for JFrog Fly.

JFrog and NVIDIA have expanded integrations to include the Enterprise AI Factory, enabling the management of AI applications through JFrog's Software Supply Chain Platform.