JFrog Report Reveals Surge in Software Supply Chain Attacks Amid AI Governance Gaps
Event summary
- JFrog's 2026 Software Supply Chain Security State of the Union report highlights a 451% year-over-year surge in malicious npm packages, with 177,000 new malicious packages detected.
- The report identifies AI agent skills and models as emerging attack surfaces, with 969 malicious AI agent skills and 495 malicious AI models detected on Hugging Face.
- Only 40% of organizations have adopted malicious package detection, and 28% have active secrets detection, despite the fastest-growing threats being the least defended.
- 97% of organizations claim certified model governance, but 53% self-host models from sources with detected malicious payloads, and 18% have zero governance over IDEs or MCP servers.
The big picture
JFrog's report underscores the escalating risks in software supply chains as AI integration accelerates. The surge in malicious packages and the emergence of AI agent skills as attack surfaces highlight the need for comprehensive governance frameworks. As organizations struggle to keep pace with evolving threats, the report suggests that automated, platform-native solutions will be critical to securing the software supply chain in the AI era.
What we're watching
- Governance Dynamics
- How the widening gap between perceived security and actual risk will impact enterprise AI adoption and regulatory scrutiny.
- Execution Risk
- Whether organizations can effectively implement automated, platform-native governance to secure AI-powered development pipelines.
- Threat Evolution
- The pace at which attackers will exploit new AI-driven development tools and autonomous agentic systems.
Related topics