Shachar Menashe
JFrog Senior Director Security ResearchShachar has more than 15 years of experience in security research & engineering, including low-level R&D, reverse engineering and vulnerability research. He currently leads the security research division in JFrog, specializing in automated vulnerability research techniques. Before joining Vdoo and JFrog, Shachar was responsible for building the low-level security of Magic Leap’s custom OS. Shachar holds a BSc in Electronics Engineering and Computer Science from Tel-Aviv University.
The Latest From Shachar Menashe
-
Unix CUPS Unauthenticated RCE Zero-Day Vulnerabilities (CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, CVE-2024-47177): All you need to know
| 7 min readOn September 23rd, Twitter user Simone Margaritelli (@evilsocket) announced that he has discovered and privately disclosed a CVSS 9.9 GNU/Linux unauthenticated RCE, which affects almost all Linux distributions, and that the public disclosure will happen on September 30th, Due to a suspected leak in the disclosure process, @evilsocket decided to advance the disclosure, and on…
Read More -
From MLOps to MLOops: Exposing the Attack Surface of Machine Learning Platforms
| 26 min readNOTE: This research was recently presented at Black Hat USA 2024, under the title “From MLOps to MLOops - Exposing the Attack Surface of Machine Learning Platforms”. The JFrog Security Research team recently dedicated its efforts to exploring the various attacks that could be mounted on open source machine learning (MLOps) platforms used inside organizational…
Read More -
Binary secret scanning helped us prevent (what might have been) the worst supply chain attack you can imagine
| 8 min readThe JFrog Security Research team has recently discovered and reported a leaked access token with administrator access to Python’s, PyPI’s and Python Software Foundation’s GitHub repositories, which was leaked in a public Docker container hosted on Docker Hub. As a community service, the JFrog Security Research team continuously scans public repositories such as Docker Hub,…
Read More -
JFrog Security research discovers coordinated attacks on Docker Hub that planted millions of malicious repositories
| 19 min readAs key parts of the software ecosystem, and as partners, JFrog and Docker are working together to strengthen the software ecosystem. Part of this effort by JFrog's security research team involves continuous monitoring of open-source software registries in order to proactively identify and address potential malware and vulnerability threats. In former publications, we have discussed…
Read More -
CVE-2024-3094 XZ Backdoor: All you need to know
| 14 min readUpdate April 1st - Updated "What is the malicious payload of CVE-2024-3094?" due to newly released OSS tools Update April 7th - Updated "What is the malicious payload of CVE-2024-3094?" due to more published payload research On March 29th, it was reported that malicious code enabling unauthorized remote SSH access has been detected within…
Read More -
Watch out for DoS when using Rust’s popular Hyper package
| 5 min readThe JFrog Security Research team is constantly looking for new and previously unknown vulnerabilities and security issues in popular open-source projects to help improve their security posture and defend the wider software supply chain. As part of this effort, we recently discovered and disclosed multiple vulnerabilities in popular Rust projects such as Axum, Salvo and…
Read More -
Latest LastPass security breach highlights developers as a high-value target
| 5 min readLast August, the maintainers of the LastPass cloud-based password manager tool reported a security breach in their servers. The disclosure maintained that an unauthorized party gained access to the LastPass development environment through a single compromised developer account. However - while source code and technical information was stolen, no user data was compromised and no…
Read More -
Turns out 78% of reported common CVEs on top DockerHub images are not really exploitable
| 15 min readResearch motivations Similarly to our previous research on “Secrets Detection,” during the development and testing of JFrog Xray’s new “Contextual Analysis” feature, we wanted to test our detection in a large-scale real-world use case, both for eliminating bugs and testing the real-world viability of our current solution. However, unlike the surprising results we got in our…
Read More