JFrog report shows record software supply chain attacks and rising AI risks in 2025

JFrog published its 58-page Software Supply Chain Security State of the Union 2026 report today, revealing that 2025 saw the highest number of software supply chain attacks on record and a growing threat from AI-related vulnerabilities ^{[1, 2]}.

The attack surface has shifted upstream, with adversaries weaponizing integrated development environment (IDE) extensions, managed cloud platform (MCP) servers, open-source binaries, and developer tools to target software on first-time use. Paul Davis, JFrog’s chief information security officer, said, "The software attack surface has fundamentally shifted upstream; attackers are actively weaponizing IDE extensions, MCP servers, open-source binaries, and developer tools to launch instantaneous attacks on first-time usage, using the developer’s workstation" ^[1].

Malicious npm packages surged 451% year over year in 2025, with 177,000 new malicious packages detected across repositories. One campaign called "Qix" used only 25 malicious packages but compromised over 2.5 million downloads ^[2]. AI also introduced new attack vectors, with JFrog spotting 969 malicious AI agent skills, 495 malicious AI models on Hugging Face, and 56 malicious extensions on Open VSX ^[2].

More than 48,000 new CVEs (common vulnerabilities and exposures) were disclosed in 2025, a 20% increase over the prior year. Injection flaws (CWE-74) increased by 3,110%, driven in part by AI-generated code reintroducing old weaknesses ^[2]. Despite the high volume, 66% of CVEs had limited real-world impact, highlighting the need for enterprises to assess vulnerability context rather than just counts ^[2].

While 97% of organizations claim to have certified AI governance over components used in new AI-enabled solutions, nearly 20% have no active enforcement over intelligent tools in developer workflows, making governance ineffective in practice. Paul Davis warned, "Governance that exists only on paper isn’t a security control — it’s a dangerous assumption" ^[1].

JFrog also found that 53% of companies self-host AI models from publicly known malicious repositories, and 18% lack governance over IDE or MCP servers. Only 40% of companies have malicious package detection and 28% have secret data detection enabled ^[2].

JFrog CEO Shlomi Ben Haim noted in Chinese that every company integrating AI into its software supply chain enlarges the attack surface. He said attackers now exploit trusted AI models, repositories, and agent tools relied on by modern AI-driven development ^[2]. Vice president of security research Shachar Menashe called the situation a false sense of security, stating that attackers hijack CI/CD pipelines and developer tools before code is even written ^[2]. CTO Yoav Landman said AI has accelerated zero-day exploit development and malicious supply chain attacks, and called for automated, platform-native governance to monitor every software asset continuously ^[2].

The 2026 report documenting 2025’s record attacks and vulnerabilities was released today, June 20 ^{[1, 2]}.