JFrog Platform Guide

Appearance

JFrog Curation Malicious

JFrog Malicious Blocked Error and Recommendation

When JFrog Curation blocks a malicious package, you’ll encounter errors similar to the following:

  • Gradle Example:
    * What went wrong:
Execution failed for task ':compileJava'.
> Could not resolve all files for configuration ':compileClasspath'.
  > Could not download jfrog_dummy-1.0.0.jar (io.github.andr3colonel:jfrog_dummy:1.0.0)
      > Could not get resource 'https://jfrog.ford.com/artifactory/external-proxy-group/io/github/andr3colonel/jfrog_dummy/1.0.0/jfrog_dummy-1.0.0.jar'.
        > Could not GET 'https://jfrog.ford.com/artifactory/external-proxy-group/io/github/andr3colonel/jfrog_dummy/1.0.0/jfrog_dummy-1.0.0.jar'. Received status code 403 from server: Forbidden

How to Confirm a Package Blocked by JFrog Curation

  1. Email Notification from Jfrog (noreply@jfrog.io) regarding your curation blocked error. The email would clearly state the blocked package name, type, originated repository, condition, recommendation, etc.
  2. Using curl cmd:
    • Example:
    curl -H "Authorization: Bearer <TOKEN>" -O "https://jfrog.ford.com/artifactory/external-proxy-group/io/github/andr3colonel/jfrog_dummy/1.0.0/jfrog_dummy-1.0.0.jar"
{
  "errors" : [ {
    "status" : 403,
    "message" : "package io.github.andr3colonel:jfrog_dummy:1.0.0 download was blocked by jfrog packages curation service due to the following policies violated {malicious-maven-central-block,Malicious package,Malicious package,Remove the malicious package from your project and replace it with an alternate package.}"
  } ]
 }

Email Example:

Jfrog Malicious Blocked Information:

JFrog Curation detects and blocks third-party packages identified as malicious by the JFrog Security Research team. Their automated scanners continuously monitor third-party repositories for:

  • Infection methods (e.g., typosquatting, dependency confusion)
  • Suspicious behaviors (e.g., code execution, dynamic evaluation)
  • Obfuscation techniques
  • Other indicators of malicious intent

For more information, feel free to contact our research group at: research@jfrog.com

Brought to you by DevTools and Enablement Team.

Copyright © 2019-present Ford Motor Company