JFrog recently announced the findings of its 2026 Software Supply Chain Security State of the Union report. This year’s report reveals an unprecedented acceleration in enterprise software risk as threat actors expand strikes beyond traditional package registries into AI model registries and developer tooling, creating a blind spot in current software governance frameworks.
“AI has not only changed how software is written; it has also increased the speed and scale at which zero-day vulnerabilities are exploited, and malicious software supply chain attacks are developed and distributed,” Yoav Landman, CTO & Co-Founder, JFrog.
“Every enterprise is adding AI to their software supply chain, which is increasing the attack surface for bad actors. Our report shows attackers are no longer just breaching traditional defenses – they are actively weaponizing the trusted models, registries, and agentic tools driving today’s AI-powered development. The era of ‘scan and hope’ is over,” said Shlomi Ben Haim, CEO & Co-Founder, JFrog. “Organizations need a single source of truth that governs every binary, every model, and every AI agent skill from the moment it enters the pipeline to the moment it is deployed in production. This is what JFrog was built to deliver.”
As AI moves from experimentation to a structural force reshaping the software supply chain, organizations are seeing a widening gap between reported security confidence and the risks accumulating in their infrastructure. Drawing on data from 18.2 billion artifacts managed across the JFrog Platform (up 136% year‑over‑year), original vulnerability research by the JFrog Security Research team, and a global survey of 1,508 security and DevOps professionals 1, this report exposes what it calls the “illusion of mastery”, i.e. the growing disparity between perceived security and the reality of mounting supply chain risk.
Key Findings Include:
- Malicious Packages Hit an All-Time High: Malicious npm packages surged 451% year-over-year, with 177K new malicious packages detected across registries in the last year. Attackers are exploiting trust at scale – the “Qix” campaign used just 25 packages to compromise over 2.5 million downloads.
- AI Agent Skills Emerge as a New Attack Surface: For the first time, JFrog tracked malicious AI agent skills – identifying 969 carrying high-impact payloads alongside 495 malicious AI models on Hugging Face and 56 malicious extensions on OpenVSX. Attackers are no longer just targeting code; they are targeting the autonomous tools that write, review, and deploy it.
- Cutting through the Noise: Vulnerabilities Are Surging and Severity Scores Are Misleading: Over 48,000 new CVEs were disclosed in 2025, a 20% year-over-year increase partially driven by AI-generated code reintroducing decades-old weaknesses, like Injection (CWE-74), which grew 3,110%. Yet the JFrog Security Research team found that 66% of CVEs analyzed had minimal real-world applicability: volume-based triage is noise, while context and applicability become the mission-critical signals.
- The Fastest-Growing Threats Are the Least Defended: Only 40% of organizations have adopted malicious package detection and secrets detection is active at just 28%. The categories growing fastest in threat volume remain the least covered by existing tooling.
- Security Teams Bear the Human Cost of AI: 45% of respondents say reviewing and hardening AI-generated code is now a major time drain – proving that AI hasn’t eliminated work – it’s merely shifted the burden as threat actors weaponize upstream developer environments and agentic tools.
- The AI Governance Gap: 97% of organizations claim they have certified model governance – yet 53% self-host models from sources where malicious payloads have been detected, and 18% have zero governance over their integrated development environments (IDE) or Model Context Protocol (MCP) servers sitting inside their developers’ workflows. Thus, the gap between reported executive confidence and actual control is widening as AI development accelerates.
“The industry is operating with a false sense of security. Vulnerabilities are growing in number, but the real threat lies in threat actors hijacking our CI/CD pipelines and developer tools before code even exists,” said Shachar Menashe, VP of JFrog Security Research. “Moving to automated, platform-native governance is no longer optional – it is the only way to secure the intelligent systems creating, approving, and distributing today’s software.”
“AI has not only changed how software is written; it has also increased the speed and scale at which zero-day vulnerabilities are exploited, and malicious software supply chain attacks are developed and distributed,” said Yoav Landman, CTO and Co-Founder of JFrog. “To stay ahead, organizations need automated governance that curates every software asset entering the organization, whether introduced by agents or developers, and continuously monitors every release that contains those assets. The race is no longer about who discovers a zero-day first, because that information is advertised within minutes. It is about who can fortify their software supply chain at scale to keep their organization secure.”
Leave a comment