May 2026 Summaries
5 posts from JFrog
Filter
Month:
Year:
Post Summaries
Back to Blog
Organizations face new challenges in securing their software supply chains as AI tools empower a broader range of users to autonomously download open-source libraries, bypassing traditional security measures like centrally managed artifact repositories. This expanded threat landscape means that traditional security approaches, such as naive blocking of direct access to public registries, often disrupt workflows and fail to provide comprehensive protection. JFrog's Package Traffic Controller offers a solution by operating at the network layer to intercept and reroute all package download requests through Artifactory, ensuring compliance with security, license, and quality policies without interrupting user workflows. This approach provides visibility and control over the entire organization, allowing for real-time inspection and approval of packages while maintaining an audit trail, thus closing security gaps without hindering developer efficiency.
May 27, 2026
982 words in the original blog post.
The JFrog 2026 Software Supply Chain Security State of the Union report highlights a disparity between organizations' perceived security effectiveness and their actual security coverage, termed as the "illusion of mastery." Based on an analysis of 18.2 billion artifacts and insights from 1,508 IT professionals, the report reveals that confidence in security governance often outpaces actual enforcement, particularly as the software supply chain evolves beyond traditional Java-centric ecosystems. Notable findings include the prevalence of malicious models on platforms like Hugging Face and the rise of npm over Maven as the most-used package ecosystem. Despite increasing threats, such as the 451% rise in detected malicious npm packages, detection coverage remains stagnant. Additionally, the report underscores that governance should be integrated continuously into the pipeline rather than remaining as static policy documentation. The report urges organizations to adopt pipeline-level controls to close the gap between perceived and actual security postures, highlighting the importance of real-time governance in areas such as AI model artifact governance, developer tooling, secrets detection, and compliance proof generation.
May 20, 2026
1,434 words in the original blog post.
Agent-belt is an open-source CLI-based evaluation framework designed for AI coding agents, ensuring that these agents perform correctly before reaching customers. It operates by running the agent's CLI as a subprocess within a real workspace, allowing for accurate evaluation without interfering with the agent's operations. Unlike other evaluation frameworks that focus on models or wrapped functions, agent-belt evaluates the CLI itself, offering a comprehensive and non-deterministic approach to testing across various agents. It supports multiple scenarios and scoring modes, enabling robust assessment through trials, varied user inputs, and multiple judges to ensure reliability and accuracy. Developed by JFrog, agent-belt integrates seamlessly into the development workflow, allowing developers to author scenarios, run evaluations, and diagnose issues directly in their IDE, emphasizing prevention of issues before deployment. This framework is part of JFrog's commitment to providing end-to-end solutions in the AI space, aiming to standardize evaluation practices and improve trust in AI agents.
May 19, 2026
1,794 words in the original blog post.
Software development is evolving with AI coding agents increasingly taking on tasks traditionally performed by human developers, such as resolving packages, configuring environments, and even managing the entire development lifecycle. However, this shift presents security challenges, as current tools lack built-in safety measures, leading to vulnerabilities like those exploited in attacks on npm and PyPI repositories. The integration of JFrog and OpenCode addresses these challenges by providing a deterministic trust layer that ensures only vetted packages, artifacts, and MCP servers are used, thereby maintaining security while allowing for seamless development workflows. This partnership facilitates automated environment setups and curates package resolution to protected repositories, enhancing both developer velocity and enterprise governance. By utilizing the JFrog platform as a system of record for secure software supply chain management and OpenCode as an open-source AI agent that supports pluggable LLM providers, organizations can achieve a balance between innovation and control, significantly reducing the time and complexity involved in developer onboarding and ongoing software delivery processes.
May 19, 2026
1,697 words in the original blog post.
With the advent of advanced AI models like Anthropic's Claude Mythos Preview and OpenAI's GPT-Cyber, organizations face a new era of accelerated security challenges, requiring structural rather than additive preparation to navigate this landscape effectively. These models demonstrate capabilities to autonomously identify and exploit long-standing vulnerabilities at speeds beyond human capacity, necessitating a comprehensive, integrated approach to security and governance across the software lifecycle. The text emphasizes that successful organizations will maintain a single, authoritative system of record for all software artifacts, enabling full context and automated policy application throughout all stages, from prompt to production. The JFrog Platform is presented as a pivotal solution, offering a unified platform that manages, governs, and secures every artifact, facilitating rapid detection, prioritization, and remediation of vulnerabilities while adapting to the dynamic and high-stakes environment introduced by these new cyber models. As the threat landscape evolves, organizations are urged to proactively prepare by embedding security controls into every stage of their artifact lifecycle to ensure readiness for future waves of AI-driven security challenges.
May 11, 2026
1,972 words in the original blog post.