{"id":5403,"date":"2026-07-07T18:06:58","date_gmt":"2026-07-07T23:06:58","guid":{"rendered":"https:\/\/www.cybersecurityinstitute.com\/blog\/?p=5403"},"modified":"2026-07-07T18:06:58","modified_gmt":"2026-07-07T23:06:58","slug":"devsecops-weekly-july-5-2026","status":"publish","type":"post","link":"https:\/\/www.cybersecurityinstitute.com\/blog\/?p=5403","title":{"rendered":"DevSecOps Weekly &mdash; July 5, 2026"},"content":{"rendered":"<style>\n.single .entry-title,\n.single .entry-header .entry-title,\n.single .post-title,\n.single header.entry-header h1,\n.single h1.entry-title,\n.single .page-title,\n.post-template-default h1.entry-title,\n.post-template-default .entry-header,\narticle .entry-header,\narticle .entry-title { display: none !important; }\n.single .entry-header { margin: 0 !important; padding: 0 !important; }\n.single .entry-content { margin-top: 0 !important; padding-top: 0 !important; }\n<\/style>\n<div class=\"container\">\n<div class=\"banner\">\n<p class=\"kicker\">Security Radar &middot; Issue 6<\/p>\n<h1 style=\"color:#ffffff !important;\">DevSecOps Weekly<\/h1>\n<p class=\"date\" style=\"color:#e0f2fe !important;\">July 5, 2026 &middot; Weekly Edition<\/p>\n<p class=\"tagline\" style=\"color:#f0f9ff !important;\">Registries under siege, an unpatched pipeline flaw with no fix in sight, and JFrog&rsquo;s governance play takes center stage.<\/p>\n<\/p><\/div>\n<div class=\"content\">\n<h2 class=\"section\">At a glance<\/h2>\n<p class=\"lead\">Package-registry supply-chain attacks dominated the week, and JFrog&rsquo;s own research desk was in the middle of two of them. A North Korea-linked &ldquo;Fake Font&rdquo; campaign hijacked npm packages and a cluster of 16 Go packages to hide a VS Code auto-run task that ultimately deploys the InvisibleFerret Python infostealer &mdash; the same actor group JFrog also tied to a fresh set of npm packages mimicking Rollup polyfill tooling to plant remote-access malware on developer workstations. In parallel, Checkmarx disclosed Operation Navy Ghost, eight trojanized Pyrogram forks on PyPI that turn any Telegram bot running in production into an attacker-controlled shell, and SafeDep documented a ten-account, thirty-package npm campaign that used a fake Polymarket arbitrage bot on GitHub as bait to plant a DeFi credential stealer. Four unrelated actors, one shared pattern: the registry itself, not the developer, is now the primary attack surface.<\/p>\n<p class=\"lead\">CI\/CD and package-manager hygiene got harder to ignore this week. Synacktiv published an unauthenticated remote-code-execution flaw in Argo CD&rsquo;s repo-server that can lead to full Kubernetes cluster takeover &mdash; reported to maintainers eighteen months ago, still unpatched, with no CVE assigned and the only real defense being network policies most Helm-based installs don&rsquo;t enable by default. GNU Guix disclosed and patched four vulnerabilities in <code>guix substitute<\/code> and <code>guix pull<\/code> that allowed a malicious or man-in-the-middle substitute server to write arbitrary files to the build daemon&rsquo;s filesystem. Kaspersky&rsquo;s GReAT team scanned roughly 130,000 GitHub Actions pipelines and found more than 250,000 configuration deviations, with critical flaws in eight repositories capable of enabling supply-chain compromise. And npm v12, arriving this month, will finally flip install scripts, Git dependencies, and remote-URL dependencies from automatic to opt-in &mdash; a structural fix teams should already be testing against.<\/p>\n<p class=\"lead\">On the governance side, two stories move over from the JFrog Competitive Intelligence bulletin this week because they speak directly to the DevSecOps audience&rsquo;s daily reality: Gartner published its first-ever Magic Quadrant for Software Supply Chain Security and named JFrog a Leader with the highest Ability to Execute score of any vendor evaluated, citing JFrog&rsquo;s State of the Union data point that malicious npm packages rose 451% year over year. Days earlier, JFrog and Anthropic shipped a JFrog Platform plugin for Claude Code that gives agentic coding sessions governed, scanned access to dependencies and artifacts before they land in a build. Read together with this week&rsquo;s registry attacks, the message is blunt: the tooling that watches what agents and pipelines pull in is becoming as consequential as the code itself.<\/p>\n<div class=\"topic-map\">\n      <img decoding=\"async\" src=\"https:\/\/www.cybersecurityinstitute.com\/blog\/wp-content\/uploads\/2026\/07\/topic-map-devsecops-2026-07-05-2.png\" alt=\"Topic map of DevSecOps Weekly stories for July 5, 2026\"><\/p>\n<p class=\"caption\">Topic map &mdash; npm\/PyPI supply-chain attacks (Fake Font VS Code campaign, Operation Navy Ghost, the Polymarket Trap, North Korea&rsquo;s Rollup polyfill mimics), CI\/CD &amp; package-manager hardening (Argo CD&rsquo;s unpatched repo-server flaw, GNU Guix substitute\/pull vulnerabilities, GitHub Actions misconfigurations, npm v12), and supply-chain governance &amp; industry standing (JFrog&rsquo;s Gartner Magic Quadrant leadership, the JFrog&ndash;Anthropic Claude Code plugin).<\/p>\n<\/p><\/div>\n<h2 class=\"section\">Article index<\/h2>\n<div class=\"cluster\">\n<h3>npm &amp; PyPI supply-chain attacks<\/h3>\n<p>Four separate campaigns hit package registries this week, from North Korea-linked malware disguised as fonts and polyfills to a coordinated DeFi credential-theft operation spanning ten npm accounts.<\/p>\n<ol class=\"articles\" style=\"margin:0;padding-left:20px;font-size:14px;color:#0f172a;\">\n<li>Hijacked npm and Go packages use VS Code tasks to deploy Python infostealer (The Hacker News, Jun 29) &mdash; W1<\/li>\n<li>Malicious PyPI packages give hackers control of Telegram bot servers &mdash; Operation Navy Ghost (BleepingComputer, Jun 30) &mdash; W2<\/li>\n<li>The Polymarket trap: a fake arbitrage bot, ten npm accounts, four ways to deliver an infostealer (SafeDep, Jul 1) &mdash; W3<\/li>\n<li>North Korea-linked npm packages mimic Rollup polyfills to steal developer secrets (The Hacker News, Jul 3) &mdash; W4<\/li>\n<li>npm v12 is coming in July &mdash; here&rsquo;s what developers need to do now (DevOps.com, Jun 11) &mdash; F1<\/li>\n<\/ol><\/div>\n<div class=\"cluster\">\n<h3>CI\/CD &amp; pipeline security<\/h3>\n<p>An unpatched, unauthenticated RCE in Argo CD, a hardened GNU Guix release closing four substitute\/pull vulnerabilities, and a large-scale study quantifying just how misconfigured GitHub Actions pipelines really are.<\/p>\n<ol class=\"articles\" style=\"margin:0;padding-left:20px;font-size:14px;color:#0f172a;\" start=\"6\">\n<li>Unpatched Argo CD repo-server flaw could let attackers take over Kubernetes clusters (The Hacker News, Jul 1) &mdash; W5<\/li>\n<li>&lsquo;guix substitute&rsquo; and &lsquo;guix pull&rsquo; vulnerabilities (GNU Guix Blog, Jun 24) &mdash; F2<\/li>\n<li>250,000 misconfigurations in GitHub Actions &mdash; Kaspersky GReAT study (Kaspersky Blog, Jun 26) &mdash; F3<\/li>\n<\/ol><\/div>\n<div class=\"cluster\">\n<h3>Supply-chain governance &amp; industry standing<\/h3>\n<p>JFrog closed the week as the highest-scoring vendor in Gartner&rsquo;s first Magic Quadrant for the category and shipped governance tooling directly into Claude Code &mdash; moved in from JFrog Competitive Intelligence because both stories bear directly on how DevSecOps teams govern what agents and pipelines pull into a build.<\/p>\n<ol class=\"articles\" style=\"margin:0;padding-left:20px;font-size:14px;color:#0f172a;\" start=\"9\">\n<li>JFrog positioned as a Leader in first Gartner Magic Quadrant for Software Supply Chain Security (BusinessWire, Jun 22) &mdash; F4<\/li>\n<li>JFrog and Anthropic bring enterprise-grade software supply chain governance to Claude Code (BusinessWire, Jun 10) &mdash; F5<\/li>\n<\/ol><\/div>\n<h2 class=\"section\">Detailed write-ups<\/h2>\n<div class=\"article\">\n<p><span class=\"num\">01<\/span><\/p>\n<h4>Hijacked npm and Go packages use VS Code tasks to deploy Python infostealer<\/h4>\n<\/p>\n<p class=\"meta\">The Hacker News &middot; June 29, 2026<\/p>\n<p>JFrog researchers found two hijacked npm packages, html-to-gutenberg and fetch-page-assets, along with 16 companion Go packages identified by Nextron Systems, hiding a hidden VS Code task named &ldquo;eslint-check&rdquo; configured to auto-run when a project folder opens. The payload disguises itself as a font file &mdash; public\/fonts\/fa-solid-400.woff2 &mdash; that actually contains JavaScript pulling encrypted next-stage code from blockchain transaction data on TronGrid and Aptos, a dead-drop technique resilient to takedowns. From there it opens a Socket.io backdoor and deploys a Python infostealer harvesting browser, wallet, and developer credentials, including Git, GitHub CLI, and cloud-storage metadata. Researchers tracking the campaign as &ldquo;Fake Font&rdquo; attribute it to North Korea as a variant of the long-running Contagious Interview operation. Audit for hidden .vscode\/tasks.json entries with folderOpen triggers and treat any font-file asset that isn&rsquo;t rendering as suspect.<\/p>\n<p>      <a class=\"button\" href=\"https:\/\/thehackernews.com\/2026\/06\/hijacked-npm-and-go-packages-use-vs.html\">Read the article<\/a><\/p>\n<p style=\"font-size:13px;color:#6b7280;margin-top:6px;\">Sources: <a href=\"https:\/\/thehackernews.com\/2026\/06\/hijacked-npm-and-go-packages-use-vs.html\" style=\"color:#1d4ed8;text-decoration:none;\">The Hacker News<\/a><\/p>\n<\/p><\/div>\n<div class=\"article\">\n<p><span class=\"num\">02<\/span><\/p>\n<h4>Malicious PyPI packages give hackers control of Telegram bot servers<\/h4>\n<\/p>\n<p class=\"meta\">BleepingComputer &middot; June 30, 2026<\/p>\n<p>Checkmarx disclosed Operation Navy Ghost, a campaign active since November 2025 that published at least eight trojanized forks of the unmaintained but still-popular Pyrogram Telegram framework &mdash; including VLifeGram, pyrogram-styled, and pyrogram-navy &mdash; each carrying a hidden backdoor module called secret.py. The backdoor activates specifically on Telegram bot accounts rather than user accounts, a deliberate choice since bots typically run unattended in production with access to databases, credentials, and cloud APIs. Once live, an attacker on a hardcoded &ldquo;OWNERS&rdquo; list can send Telegram commands like \/asu or \/asi to execute arbitrary Python or shell commands on the host, with results returned via Telegram message or file. Checkmarx attributes all eight packages, published under different PyPI accounts, to a single operator based on shared code, command names, and infrastructure. Teams running Pyrogram-based bots should audit for these forks immediately and rotate server credentials.<\/p>\n<p>      <a class=\"button\" href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/malicious-pypi-packages-give-hackers-control-of-telegram-bot-servers\/\">Read the article<\/a><\/p>\n<p style=\"font-size:13px;color:#6b7280;margin-top:6px;\">Sources: <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/malicious-pypi-packages-give-hackers-control-of-telegram-bot-servers\/\" style=\"color:#1d4ed8;text-decoration:none;\">BleepingComputer<\/a><\/p>\n<\/p><\/div>\n<div class=\"article\">\n<p><span class=\"num\">03<\/span><\/p>\n<h4>The Polymarket trap: a fake arbitrage bot, ten npm accounts, four ways to deliver an infostealer<\/h4>\n<\/p>\n<p class=\"meta\">SafeDep &middot; July 1, 2026<\/p>\n<p>SafeDep traced a coordinated campaign in which ten npm maintainer accounts published 30 packages mimicking Polymarket tooling and general DeFi math libraries, luring victims through a fake GitHub repository, Trum3it\/polymarket-arbitrage-bot, that racked up 53 forks before anyone flagged it. Its package.json listed clob-client-math as a dependency that&rsquo;s never actually imported in the bot&rsquo;s code &mdash; it exists purely to trigger a postinstall hook. The operators used four distinct delivery techniques across the ten accounts, including one that has a clean 1.0.0 release use npm itself to fetch and self-overwrite with a malicious 1.0.1, defeating tarball-based scanning entirely. The resulting 2,800-line infostealer reads crypto wallet vaults, browser credentials, SSH and AWS keys, npm tokens, and password-manager databases. Shared C2 domains and byte-identical dropper code tie all ten accounts to one operator. Anyone who ran npm install against these packages should treat every credential on that machine as compromised.<\/p>\n<p>      <a class=\"button\" href=\"https:\/\/safedep.io\/defi-infostealer-fake-arbitrage-bot-npm\/\">Read the article<\/a><\/p>\n<p style=\"font-size:13px;color:#6b7280;margin-top:6px;\">Sources: <a href=\"https:\/\/safedep.io\/defi-infostealer-fake-arbitrage-bot-npm\/\" style=\"color:#1d4ed8;text-decoration:none;\">SafeDep<\/a><\/p>\n<\/p><\/div>\n<div class=\"article\">\n<p><span class=\"num\">04<\/span><\/p>\n<h4>North Korea-linked npm packages mimic Rollup polyfills to steal developer secrets<\/h4>\n<\/p>\n<p class=\"meta\">The Hacker News &middot; July 3, 2026<\/p>\n<p>JFrog identified npm packages rollup-packages-polyfill-core and rollup-runtime-polyfill-core mimicking the legitimate rollup-plugin-polyfill-node down to its description and repository metadata, each installing a second-stage package disguised as an SVG utility that fetches a JSON payload from JSONKeeper and evaluates it. The malware runs environment checks to avoid cloud sandboxes and analysis infrastructure before reaching out for an encrypted loader that enables interactive remote access &mdash; terminal sessions, screenshot capture, and mouse\/keyboard control via the @nut-tree-fork\/nut-js package &mdash; plus browser and cryptocurrency wallet theft. The file collector specifically targets VS Code, Windsurf, and Cursor editor history alongside AWS, Azure, Gemini, and Claude configuration files. JFrog notes the technique overlaps with the OtterCookie malware family tied to Lazarus\/Contagious Interview. The disclosure landed alongside a wave of unrelated npm and PyPI credential-theft campaigns documented the same week by Checkmarx, SafeDep, and independent researchers, underscoring how crowded the registry-attack surface has become.<\/p>\n<p>      <a class=\"button\" href=\"https:\/\/thehackernews.com\/2026\/07\/north-korea-linked-npm-packages-mimic.html\">Read the article<\/a><\/p>\n<p style=\"font-size:13px;color:#6b7280;margin-top:6px;\">Sources: <a href=\"https:\/\/thehackernews.com\/2026\/07\/north-korea-linked-npm-packages-mimic.html\" style=\"color:#1d4ed8;text-decoration:none;\">The Hacker News<\/a><\/p>\n<\/p><\/div>\n<div class=\"article\">\n<p><span class=\"num\">05<\/span><\/p>\n<h4>npm v12 is coming in July &mdash; here&rsquo;s what developers need to do now<\/h4>\n<\/p>\n<p class=\"meta\">DevOps.com &middot; June 11, 2026<\/p>\n<p>Starting this month, npm v12 flips three defaults that have enabled the bulk of this week&rsquo;s registry attacks: install scripts (preinstall\/install\/postinstall) no longer run automatically, Git dependencies no longer resolve automatically, and remote-URL tarball dependencies no longer resolve automatically &mdash; all become explicit opt-ins. The change follows a brutal run of npm supply-chain incidents, including the September 2025 hijack of 18 packages with combined weekly downloads over 2.6 billion and roughly 455,000 malicious npm packages published in 2025 alone. Teams can prepare now: npm 11.16.0 already ships advisory-mode warnings, and running <code>npm approve-scripts --allow-scripts-pending<\/code> surfaces every package with an unreviewed script so teams can build a committed allowlist before the hard cutover. Package maintainers relying on install scripts should document the requirement and consider shipping prebuilt binaries instead. This week&rsquo;s Fake Font, Navy Ghost, and Polymarket campaigns are precisely the class of attack v12&rsquo;s defaults are designed to blunt.<\/p>\n<p>      <a class=\"button\" href=\"https:\/\/devops.com\/npm-v12-is-coming-in-july-heres-what-developers-need-to-do-now\/\">Read the article<\/a><\/p>\n<p style=\"font-size:13px;color:#6b7280;margin-top:6px;\">Sources: <a href=\"https:\/\/devops.com\/npm-v12-is-coming-in-july-heres-what-developers-need-to-do-now\/\" style=\"color:#1d4ed8;text-decoration:none;\">DevOps.com<\/a><\/p>\n<\/p><\/div>\n<div class=\"article\">\n<p><span class=\"num\">06<\/span><\/p>\n<h4>Unpatched Argo CD repo-server flaw could let attackers take over Kubernetes clusters<\/h4>\n<\/p>\n<p class=\"meta\">The Hacker News &middot; July 1, 2026<\/p>\n<p>Synacktiv disclosed an unauthenticated remote-code-execution flaw in Argo CD&rsquo;s repo-server, the component that turns Git repositories into Kubernetes manifests, that can lead to full cluster takeover. The bug abuses kustomize&rsquo;s &#8211;helm-command option: an unauthenticated request to the repo-server&rsquo;s internal gRPC service can point that option at an attacker-controlled script instead of the helm binary. There is no patch and no CVE &mdash; Synacktiv reported the issue in January 2025 and published after roughly eighteen months of silence. The only real mitigation is network isolation, but Argo CD&rsquo;s own Helm chart ships with networkPolicy.create set to false, so any attacker who compromises one pod in the cluster can typically reach the repo-server directly. From there, Synacktiv showed the flaw could be chained to read the cluster&rsquo;s Redis password and poison deployment data, causing Argo CD to deploy an attacker-supplied workload on its next automatic sync. Run <code>kubectl get networkpolicy -A<\/code> now and enable the shipped policies if they&rsquo;re missing.<\/p>\n<p>      <a class=\"button\" href=\"https:\/\/thehackernews.com\/2026\/07\/unpatched-argo-cd-repo-server-flaw.html\">Read the article<\/a><\/p>\n<p style=\"font-size:13px;color:#6b7280;margin-top:6px;\">Sources: <a href=\"https:\/\/thehackernews.com\/2026\/07\/unpatched-argo-cd-repo-server-flaw.html\" style=\"color:#1d4ed8;text-decoration:none;\">The Hacker News<\/a><\/p>\n<\/p><\/div>\n<div class=\"article\">\n<p><span class=\"num\">07<\/span><\/p>\n<h4>&lsquo;guix substitute&rsquo; and &lsquo;guix pull&rsquo; vulnerabilities<\/h4>\n<\/p>\n<p class=\"meta\">GNU Guix Blog &middot; June 24, 2026<\/p>\n<p>The GNU Guix project disclosed and patched four vulnerabilities affecting the guix-daemon helper utilities. The most severe, in <code>restore-file<\/code>, extracts a downloaded substitute archive before verifying its cryptographic hash, letting any substitute server &mdash; or a man-in-the-middle, https notwithstanding &mdash; write arbitrary files anywhere the daemon user can write, including <code>\/etc\/passwd<\/code> when the daemon runs as root. A second flaw let a malicious server substitute the wrong store item for a requested one; a third allowed <code>file:\/\/<\/code> substitute URLs to disclose or interfere with any file readable by the daemon via symlink-following. A fourth, narrower issue in <code>guix pull<\/code> and <code>guix time-machine<\/code> allowed a malicious channel name to create or overwrite files via path traversal, primarily a denial-of-service risk. All four are fixed across 11 commits; Guix and Nix-adjacent tooling maintainers should note the pattern, since a related bug once produced CVE-2024-45593 in Nix. Upgrade guix-daemon immediately and evaluate whether to run with <code>--no-substitutes<\/code> in the interim.<\/p>\n<p>      <a class=\"button\" href=\"https:\/\/guix.gnu.org\/en\/blog\/2026\/guix-substitute-pull-vulnerabilities\/\">Read the article<\/a><\/p>\n<p style=\"font-size:13px;color:#6b7280;margin-top:6px;\">Sources: <a href=\"https:\/\/guix.gnu.org\/en\/blog\/2026\/guix-substitute-pull-vulnerabilities\/\" style=\"color:#1d4ed8;text-decoration:none;\">GNU Guix Blog<\/a><\/p>\n<\/p><\/div>\n<div class=\"article\">\n<p><span class=\"num\">08<\/span><\/p>\n<h4>250,000 misconfigurations in GitHub Actions<\/h4>\n<\/p>\n<p class=\"meta\">Kaspersky Blog (GReAT) &middot; June 26, 2026<\/p>\n<p>Kaspersky&rsquo;s Global Research and Analysis Team used a new Kaspersky Container Security rule set to scan roughly 130,000 GitHub Actions pipelines across about 30,000 popular repositories, and found more than 250,000 deviations from secure CI\/CD configuration practice &mdash; meaning only about 10% of the repositories examined raised no concerns at all. Of those findings, 59.8% were low risk and 39.8% medium risk, but 0.4% were classified high risk, and critical misconfigurations in eight repositories &mdash; spanning AI-integration tooling, developer automation services, and security-testing tools &mdash; were assessed capable of enabling a full supply-chain compromise; Kaspersky reported those directly to maintainers. The most common issues were implicit or overly broad permissions, missing version pinning on third-party actions, and workflow-level rather than job-level configuration; less frequent but more dangerous were top-level secret exposure, unsafe run conditions, and insecure handling of external data. The findings echo the same misconfiguration classes exploited in real campaigns like Mini Shai-Hulud, reinforcing that pipeline hygiene, not just package hygiene, needs a routine audit.<\/p>\n<p>      <a class=\"button\" href=\"https:\/\/www.kaspersky.com\/blog\/github-actions-security-research\/56019\/\">Read the article<\/a><\/p>\n<p style=\"font-size:13px;color:#6b7280;margin-top:6px;\">Sources: <a href=\"https:\/\/www.kaspersky.com\/blog\/github-actions-security-research\/56019\/\" style=\"color:#1d4ed8;text-decoration:none;\">Kaspersky Blog<\/a><\/p>\n<\/p><\/div>\n<div class=\"article\">\n<p><span class=\"num\">09<\/span><\/p>\n<h4>JFrog positioned as a Leader in first Gartner Magic Quadrant for Software Supply Chain Security<\/h4>\n<\/p>\n<p class=\"meta\">BusinessWire &middot; June 22, 2026<\/p>\n<p>Gartner published its first-ever Magic Quadrant for Software Supply Chain Security, naming JFrog a Leader and placing it highest on Ability to Execute of any vendor evaluated (report ID G00843814, published June 17, 2026). Gartner separately named software supply-chain attacks among the top four critical threats where attackers currently hold the advantage, citing an accelerating &ldquo;CVE Blitz&rdquo; of adversarial symmetry. JFrog&rsquo;s own 2026 State of the Union data, cited in the release, found 177,000 new malicious packages detected industry-wide and malicious npm packages up 451% year over year &mdash; numbers this week&rsquo;s Fake Font, Navy Ghost, and Polymarket disclosures do nothing to contradict. Gartner&rsquo;s evaluation highlighted JFrog Curation for blocking risky open-source components before install, JFrog AI Catalog and MCP Server for governing AI models and agent skills entering the environment, JFrog AppTrust for immutable policy-enforcement evidence, and expanded SBOM\/VEX support aligned to CycloneDX and SPDX 3.0. For DevSecOps teams evaluating supply-chain tooling, it&rsquo;s the first analyst-firm signal that this category has matured into its own market.<\/p>\n<p>      <a class=\"button\" href=\"https:\/\/www.morningstar.com\/news\/business-wire\/20260622339694\/jfrog-positioned-as-a-leader-in-the-first-gartner-magic-quadrant-for-software-supply-chain-security\">Read the article<\/a><\/p>\n<p style=\"font-size:13px;color:#6b7280;margin-top:6px;\">Sources: <a href=\"https:\/\/www.morningstar.com\/news\/business-wire\/20260622339694\/jfrog-positioned-as-a-leader-in-the-first-gartner-magic-quadrant-for-software-supply-chain-security\" style=\"color:#1d4ed8;text-decoration:none;\">BusinessWire<\/a><\/p>\n<\/p><\/div>\n<div class=\"article\">\n<p><span class=\"num\">10<\/span><\/p>\n<h4>JFrog and Anthropic bring enterprise-grade software supply chain governance to Claude Code<\/h4>\n<\/p>\n<p class=\"meta\">BusinessWire &middot; June 10, 2026<\/p>\n<p>JFrog and Anthropic released a JFrog Platform plugin for Claude Code, giving agentic coding sessions governed access to scan, curate, and secure every artifact and dependency an agent pulls in before it enters a build. The plugin adds JFrog Platform Skills, letting agents execute vulnerability scanning, curation checks, and provenance verification through natural language, and works alongside the recently announced JFrog MCP Registry and Agent Skills Registry so that MCP servers and agent skills are vetted before use. JFrog CTO Yoav Landman framed the need bluntly: AI agents are already making dependency, build, and deployment decisions without supply-chain context, which is how malicious packages and ungoverned AI assets enter production today. The timing matters &mdash; JFrog says the platform now manages over 18 billion artifacts, a 136% year-over-year increase driven largely by AI-agent activity. Similar plugins are planned for Cursor and VS Code Copilot. For teams running Claude Code or evaluating agentic development tooling, this is the first concrete governance layer purpose-built for that workflow.<\/p>\n<p>      <a class=\"button\" href=\"https:\/\/www.businesswire.com\/news\/home\/20260610800676\/en\/JFrog-and-Anthropic-Bring-Enterprise-Grade-Software-Supply-Chain-Governance-and-Security-to-Claude-Code\">Read the article<\/a><\/p>\n<p style=\"font-size:13px;color:#6b7280;margin-top:6px;\">Sources: <a href=\"https:\/\/www.businesswire.com\/news\/home\/20260610800676\/en\/JFrog-and-Anthropic-Bring-Enterprise-Grade-Software-Supply-Chain-Governance-and-Security-to-Claude-Code\" style=\"color:#1d4ed8;text-decoration:none;\">BusinessWire<\/a><\/p>\n<\/p><\/div>\n<h2 class=\"section\">On our watch list<\/h2>\n<ul class=\"watchlist\">\n<li><strong>npm v12&rsquo;s defaults flip this month.<\/strong> Install scripts, Git dependencies, and remote-URL dependencies move from automatic to opt-in. Watching for build breakage reports as teams that haven&rsquo;t run <code>npm approve-scripts --allow-scripts-pending<\/code> hit the cutover cold, and for how quickly the registry-attack techniques seen this week (postinstall droppers, side-loaders) adapt to the new defaults.<\/li>\n<li><strong>Argo CD&rsquo;s unpatched repo-server RCE.<\/strong> No CVE, no patch, eighteen months since disclosure. Watching whether Argo CD&rsquo;s maintainers ship a fix or a hardened default network policy before Synacktiv publishes its argo-cdown proof-of-concept tool, and whether other GitOps tools with similarly permissive Helm chart defaults get the same scrutiny.<\/li>\n<li><strong>North Korea&rsquo;s registry-poisoning cadence.<\/strong> Fake Font and the Rollup polyfill mimics are the same actor cluster inside one week, both caught by JFrog. Watching whether JFrog, Checkmarx, and SafeDep&rsquo;s parallel research efforts converge into shared IOC feeds or registry-level blocklists rather than each vendor publishing independently after the fact.<\/li>\n<li><strong>Governance tooling racing ahead of agent adoption.<\/strong> JFrog&rsquo;s Gartner MQ leadership and its Claude Code plugin land the same month as this week&rsquo;s wave of registry attacks. Watching whether Snyk, Sonatype, and GitHub Advanced Security ship comparable agent-native governance plugins, and whether enterprises adopt curation-before-install as a default rather than a premium add-on.<\/li>\n<\/ul><\/div>\n<div class=\"footer\">\n<p class=\"brand\">Security Radar &middot; DevSecOps Weekly<\/p>\n<p>Weekly intelligence bulletin from Security Radar LLC<\/p>\n<p>Curated by Paul Davis &middot; paul.davis@security-radar.com<\/p>\n<p>&copy; 2026 Security Radar LLC. All rights reserved.<\/p>\n<p style=\"margin-top:12px;font-size:12px;color:#94a3b8;\">Article titles and summaries are excerpted for review and commentary; all linked articles remain the copyright of their respective publishers and authors.<\/p>\n<p>*|LIST:ADDRESS|*<\/p>\n<p><a href=\"*|ARCHIVE|*\">View this email in your browser<\/a> &middot; <a href=\"*|UNSUB|*\">Unsubscribe<\/a><\/p>\n<\/p><\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Security Radar &middot; Issue 6 DevSecOps Weekly July 5, 2026 &middot; Weekly Edition Registries under siege, an unpatched pipeline flaw with no fix in sight, and JFrog&rsquo;s governance play takes center stage. At a glance Package-registry supply-chain attacks dominated the week, and JFrog&rsquo;s own research desk was in the middle&#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[34,11],"tags":[],"class_list":["post-5403","post","type-post","status-publish","format-standard","hentry","category-secure","category-trends"],"_links":{"self":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/5403","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5403"}],"version-history":[{"count":1,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/5403\/revisions"}],"predecessor-version":[{"id":5408,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/5403\/revisions\/5408"}],"wp:attachment":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5403"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5403"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5403"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}