Shifting Security ‘Lefter’ Than Left Is The Key To Avoiding Risky Packages

As the AI revolution accelerates, developers are being inundated with a dazzling array of new software packages and game-changing tools such as GitHub CoPilot, Sourcegraph, Qodo, Cursor, Goose, and others that promise incredible advances in productivity and impact. The excitement over this is high and just keeps on growing.

Cyberattackers share equally in this excitement; the adoption of new development resources always outpaces the ability to secure their use and this gives bad actors a window of opportunity to exploit vulnerabilities with little to no adversity by way of rigorous security controls.

The developer security world has made good progress with securing the use of Open Source Software (OSS) dependencies and outside components; after all, the vast majority of vulnerabilities in application code bases are introduced via third-party building blocks. But as we progress through the AI era, software supply chain security risks are rapidly increasing, and also expanding beyond software dependencies to developer tools and extensions.

The largest npm supply chain attack in history hits 20 packages

A software supply chain attack exploiting popular npm software packages was discovered on September 8th, 2025. 20 packages - representing over 2 billion downloads - were compromised. In this case, the attacker injected malicious code designed to intercept and redirect cryptocurrency transactions. This attack's reach makes it the most widespread supply chain attack in npm's history. (Check out the JFrog Security Research Team's blog for a more detailed technical analysis of this incident). Fortunately, the impact was minimal, despite the 2.5 million downloads of these compromised packages.

These types of attacks will only become more frequent and more sophisticated, and many software-producing organizations will continue to find themselves caught between stifling developer velocity and productivity with draconian security measures and taking on too much software supply chain security risk by way of unvetted artifacts, packages, and tools.

Relying on developers to manually vet every package or tool is just not a viable strategy. What's needed is a means of blocking risky or malicious components "at the door", ensuring they don't ever enter the software development lifecycle.

This is the differentiated approach that JFrog takes with our software supply chain security platform - we shift security even more 'left' than left.

Preempting risk with JFrog Curation

JFrog Curation is the solution that makes it effortless for developers to work with validated and approved dependencies and packages. It essentially acts as a firewall between your developers and public repositories, ensuring that only vetted OSS dependencies and packages are allowed into your organization's ecosystem.

Curation tracks OSS packages and models sanctioned by your organization and offers a policy-driven approach to 3rd party software component use that creates a win-win situation for security and software developers.

FIGURE 1: Creating detailed policies blocking the use of immature packages in Curation

Security benefits substantially from Curation. Imagine the common scenario where a new package version is released and developers race to download it and put it to use. Immature packages can carry operational risks and also serious security risks, which are typically discovered within a window of 14 days from time of release. With Curation, security teams can create and enforce policies that block any new packages based on the package's age, giving the necessary time for proper vetting by the Security community at large.

One might think that enforcing such a policy would degrade the developer experience. After all, being blocked from using a package could completely stall a software developer's project. Curation solves for maintaining the developer experience as well; if the latest packages requested by developers don't meet the maturity policy requirement, Curation will simply instruct Artifactory to serve the latest compliant version, according to your defined policies.

Want to get a detailed look at how Curation defends your software supply chain from risky packages? Schedule a meeting with one of our experts!