2025: The Year AI Redefined Software Supply Chain Security, Ushering in Unprecedented Risks

Edi Susilo Dewantoro,

The year 2025 marked a seismic shift in the digital landscape, not only by witnessing an unprecedented proliferation of code packages but by fundamentally redefining the very architecture of the software supply chain. This evolution, largely driven by the rapid integration of artificial intelligence, has inadvertently transformed the software supply chain into a high-value target for malicious actors. For Chief Information Security Officers (CISOs) and security professionals worldwide, this structural transformation presents a critical reckoning: the traditional security perimeter, once defined by self-written code and meticulously vetted open-source dependencies, has now expanded to encompass the vast and often ungoverned realm of AI models and agentic development tools themselves.

This alarming trend is underscored by the latest JFrog Software Supply Chain Security State of the Union 2026 report, a comprehensive 58-page analysis released this week. The report paints a stark picture of an expanding threat landscape, asserting that "AI is no longer an emerging consideration in the software supply chain. It is the supply chain." This declaration signifies a paradigm shift, moving AI from a potential future concern to the immediate present reality of software development security.

The data within the report confirms an immediate crisis, revealing that risk is rapidly escalating across dependencies, binaries, and newly introduced AI artifacts. Crucially, existing security controls are struggling to keep pace with this accelerated evolution. The report’s primary objective is to compel security decision-makers to transition from a reactive patching strategy to a more proactive, systemic approach to managing software risk.

The Upstream Shift: A New Frontier for Attackers

JFrog CISO Paul Davis elaborated on this critical development, stating, "The software attack surface has fundamentally shifted upstream; attackers are actively weaponizing IDE extensions, MCP servers, open-source binaries, and developer tools to launch instantaneous attacks on first-time usage, using the developer’s workstation." This upstream pivot means that vulnerabilities are no longer confined to the end product but can be injected at the earliest stages of development, directly impacting the tools developers rely on daily.

This fundamental shift has created a significant disconnect between the perceived security posture of organizations and the actual operational reality. Davis further explained, "This shift has created a fundamental disconnect between executive perception of how well they think they are protected and actual operational reality. And it’s not just traditional software development." The report highlights a concerning paradox: while 97% of organizations claim to have certified AI governance for the components used in building new AI-enabled solutions, nearly a fifth have no active enforcement over the intelligent tools operating within their developers’ workflows. "Governance that exists only on paper isn’t a security control – it’s a dangerous assumption," Davis warned, emphasizing the critical need for tangible implementation over mere policy.

Explosive Growth and Shifting Ecosystems

The sheer velocity of code ingestion in 2025 was a primary driver of this expanded risk. The report reveals that an astounding 11.7 million new packages flooded software supply chains, representing a staggering 67% increase from the previous year. This surge is not merely a quantitative one; it signifies a structural realignment of the entire software ecosystem.

Key shifts in package ecosystem popularity highlight this evolution. The JFrog report notes that npm officially overtook Apache Maven as the most-used package ecosystem by traffic, with 400,000 new packages compared to Maven’s 98,000. In parallel, PyPI surpassed YUM, a trend that JFrog interprets as an indicator of the industry’s pivot towards modern data science and machine learning, with AI/ML workload concerns increasingly displacing legacy infrastructure considerations.

This shift in package preference coincided with what the report terms "the most dangerous year on record for npm users." Malicious activity within the npm ecosystem surged by an astonishing 451%, demonstrating a clear new niche for malicious actors. Attackers orchestrated three major hijack campaigns, resulting in over 2 million compromised downloads and the distribution of 171,592 unique instances of malicious npm packages. This escalation underscores a critical vulnerability: the reliance on large, publicly accessible registries, particularly those powering front-end and dynamic workloads, presents a significant exploited risk for software developers and organizations.

AI’s Nascent Governance: A Looming Long-Term Risk

A significant long-term risk identified by JFrog stems from the rapid AI adoption curve outstripping the development of adequate governance capabilities. As enterprises accelerate their integration of AI development tools, models, and protocols, the corresponding governance frameworks for these novel attack surfaces remain "nascent or aspirational."

The report’s data vividly illustrates this profound chasm. In 2025, 41% of enterprises were actively using AI and ML libraries, a notable increase from 34% in 2024. Furthermore, the average organization is now managing 47% more of these AI-related packages than the previous year, as teams transition from relying on single AI services to building solutions that leverage multiple services simultaneously.

This inherent risk is compounded by the alarming readiness of engineering teams to pull AI models directly from public sources. A concerning 53% of organizations admit to sourcing AI models straight from public registries. An additional 53% of organizations self-host AI models, often drawing them from platforms like Hugging Face and similar registries. The dangers of such practices are starkly illustrated by the detection of 495 malicious AI models on these public registries. Yet, in a testament to the governance disconnect, a striking 97% of enterprises claim to have certified model governance in place, a figure that the report’s data on malicious models sharply contradicts.

Operational Burdens and the Need for Systemic Change

The growing operational burden of modern security practices further illuminates the challenges faced by organizations. Nearly half of enterprises (48%) reported requiring a week or more to generate audit-proof compliance documentation. This lack of agility in demonstrating compliance is symptomatic of legacy, siloed security practices that are ill-equipped to keep pace with the rapid tempo of AI-driven development.

The overarching message from the JFrog report is clear: the software attack surface has metastasized. Software manufacturers are currently contending with a perfect storm: an unprecedented volume of packages, a relentless onslaught of malicious dependencies, and an AI gold rush where speed has regrettably sidelined security governance. Moving forward, a data-justified shift is imperative, moving beyond simply managing Common Vulnerabilities and Exposures (CVE) noise to strategically controlling the entire software risk surface, especially as AI artifacts increasingly dominate the supply chain narrative.

Chronology of Transformation

While the report focuses on 2025 data, the trends it highlights have been developing over several years, culminating in the dramatic shifts observed.

  • Early 2020s: The increasing reliance on open-source software and package managers like npm, Maven, and PyPI becomes standard practice across the industry. Early concerns emerge regarding the security of these dependencies.
  • 2023-2024: The rapid rise of generative AI tools and models begins to influence development workflows. Organizations start experimenting with integrating AI into their software development lifecycle (SDLC). Initial reports and analyses begin to flag the potential security implications of AI models and agentic tools.
  • 2025 (The Pivot Year): The JFrog report’s data indicates this was the year of significant acceleration. The volume of new code packages explodes, and AI becomes deeply embedded in development practices. Malicious activity within key package ecosystems, particularly npm, sees unprecedented surges. The concept of the "AI-powered software supply chain" transitions from theoretical to operational reality.
  • 2026 (The Reckoning): The JFrog Software Supply Chain Security State of the Union 2026 report is released, analyzing the dramatic events and trends of 2025. It highlights the critical gap between perceived and actual security, the upstream shift of attack surfaces, and the nascent state of AI governance, serving as a call to action for the industry.

Supporting Data and Analysis

The JFrog report’s findings are based on a robust combination of data sources. JFrog’s platform provides insights across billions of software artifacts, serving as the system of record for thousands of global enterprises, including over 80% of the Fortune 100. This internal data is augmented by independent vulnerability research conducted by the JFrog Security Research team and commissioned third-party survey responses from 1,508 security, development, and operations professionals across eight countries.

The specific data points from the report offer a granular view of the crisis:

  • Package Proliferation: 11.7 million new packages in 2025, a 67% increase year-over-year.
  • Ecosystem Shifts: npm overtakes Maven in traffic; PyPI surpasses YUM, indicating a move towards AI/ML workloads.
  • npm Malicious Activity: A 451% increase in malicious activity on npm.
  • Attack Scale: Three major hijack campaigns leading to over 2 million compromised downloads and 171,592 unique malicious npm packages.
  • AI/ML Library Adoption: 41% of enterprises actively using AI/ML libraries (up from 34% in 2024).
  • AI Package Management: Average organization managing 47% more AI-related packages than the previous year.
  • Public AI Model Sourcing: 53% of organizations pull AI models directly from public registries.
  • Self-Hosted AI Models: 53% of organizations self-host AI models, often from platforms like Hugging Face.
  • Malicious AI Models Detected: 495 malicious models detected on public registries.
  • AI Governance Claims vs. Reality: 97% of enterprises claim certified model governance, sharply contradicted by data on malicious models.
  • Compliance Burden: 48% of enterprises require a week or more for audit-proof compliance generation.

Broader Impact and Future Implications

The implications of these findings extend far beyond individual organizations. The increasing sophistication and upstream nature of attacks pose a systemic risk to the global digital infrastructure. As AI becomes more deeply integrated into every facet of software development, the potential for widespread disruption and compromise escalates dramatically.

The report serves as a crucial wake-up call, emphasizing that the traditional security paradigms are no longer sufficient. Organizations must invest in comprehensive software supply chain security solutions that can provide end-to-end visibility and control over all software artifacts, including AI models and agentic tools. The future of software security lies in proactive threat intelligence, robust governance frameworks, and continuous monitoring across the entire development lifecycle, from initial code commit to deployment and runtime. Failure to adapt to this new reality will leave organizations increasingly vulnerable in an evolving threat landscape.

Enterprise Software & DevOps

Leave a Reply

Your email address will not be published. Required fields are marked *