JFrog 2026 Software Supply Chain Security State of the Union: How AI Adoption Is Reshaping Enterprise Risk and Governance

The 2026 JFrog Software Supply Chain Security State of the Union delivers a sobering assessment of how artificial intelligence has fundamentally altered the software supply chain. What was once a relatively stable ecosystem of packages and dependencies has become a high-velocity environment dominated by AI-generated code, massive model repositories, and autonomous agent tools.

Data from the JFrog Platform shows 18.2 billion artifacts managed by year-end 2025 — a 136% increase from the prior year. Hugging Face alone published 1.4 million new models, positioning it as the second-largest source of new packages. npm overtook Maven as the dominant ecosystem by traffic, while PyPI passed YUM, reflecting the shift toward scripting languages favored by AI-assisted development and agentic workflows.

Risks have accelerated in parallel. Over 48,000 new CVEs were disclosed, malicious npm packages surged 451%, and researchers identified 495 malicious models on Hugging Face plus 969 malicious AI agent skills. Developer tooling has emerged as a major new attack surface, with AI coding extensions growing 262% year-over-year.

The report highlights a dangerous “illusion of mastery” — organizations report growing AI adoption and confidence in controls, yet governance practices for models, agents, prompts, and retrieval systems remain immature. This creates significant exposure as AI systems gain deeper access to codebases, credentials, and business processes.

Key Findings

• The JFrog Platform reached 18.2 billion artifacts by the end of 2025, a staggering 136% increase from 2024. This explosive growth, largely fueled by AI-assisted development and agentic workflows, signals that the software supply chain is no longer growing linearly but multiplying rapidly, placing immense pressure on existing scanning, governance, and provenance systems that were not designed for this scale.

• Hugging Face published 1.4 million new models in 2025, making it the second-largest source of new packages after Docker Hub. This positions AI models and datasets as a major new artifact class entering enterprise environments, introducing distinct challenges around provenance, licensing, integrity verification, and malicious payload risks that traditional package management tools were never built to handle.

• npm overtook Maven as the most-used package ecosystem by traffic volume in 2025, while PyPI passed YUM. This marks a structural shift toward scripting languages favored by AI coding assistants and agentic development. Governance frameworks built around traditional Java-centric ecosystems are now misaligned with where the majority of new development activity is happening.

• Malicious npm packages increased by 451%, reaching 171,592 unique instances, driven by major hijack campaigns. In parallel, researchers identified 495 malicious models on Hugging Face and 969 malicious AI agent skills in repositories like ClawHub and Skills.sh. These numbers demonstrate that attackers are aggressively targeting the new AI layers of the supply chain with sophisticated payloads.

• Over 48,000 new CVEs were disclosed in 2025, a 20% increase from 2024. A significant portion of this surge is attributed to AI-generated code that frequently introduces classic vulnerabilities such as XSS (CWE-79) and SQL Injection (CWE-89), which saw dramatic increases and now dominate the vulnerability landscape.

• Only 12% of analyzed CVEs were highly exploitable in real enterprise environments, while 66% had low applicability (0–20%). This highlights the growing challenge of alert fatigue, where security teams are overwhelmed by noise rather than focusing on genuinely reachable, high-impact risks.

• 41% of organizations are actively using AI and ML libraries, up from 34% in 2024, with those using them averaging 9.3 libraries per organization. Multi-model and agentic architectures are becoming the norm, yet governance maturity for these components remains low, creating a dangerous gap between adoption speed and control.

• Developer tooling has emerged as a critical new governance gap. AI coding agent extensions on OpenVSX grew 262% year-over-year, and 18% of organizations have no active governance policies for IDE extensions and MCP servers. This gives attackers potential direct access to codebases and credentials through compromised developer environments.

• 59% of organizations claim full production provenance visibility, yet 48% still need a week or more to generate compliance audit proof. This persistent disconnect between reported visibility and actual operational accountability represents a serious weakness as regulators and boards demand demonstrable supply chain controls.

• 23% of developers would treat an AI-suggested security fix as near-definitive with only a quick review. Combined with the median organization injecting more than one new package per day, this creates dangerous trust assumptions in AI-generated outputs that often bypass traditional secure coding and human review processes.

What the Report Covers

The JFrog 2026 Software Supply Chain Security State of the Union is a comprehensive, data-driven analysis spanning multiple dimensions of how AI is fundamentally reshaping software security and governance. It draws from billions of artifacts on the JFrog Platform, independent vulnerability research by the JFrog Security Research team, and survey responses from 1,508 professionals.

1. The report begins with “What’s in Your Software Supply Chain?”, providing deep visibility into ecosystem shifts. It details the consolidation of programming languages (with organizations moving toward fewer but more concentrated stacks), explosive growth in new packages (11.7 million added in 2025), npm overtaking Maven by traffic, PyPI surpassing YUM, and the dramatic rise of Hugging Face as the second-largest package source with 1.4 million new models. It also examines popular libraries across Docker, Maven, PyPI, and npm, and the accelerating pace at which new packages are injected into organizations (median of 42 new packages per month).

2. Next, “The Accelerating Risk in Your Software Supply Chain” quantifies the threat landscape. It covers the record 48,000+ new CVEs in 2025 (many linked to AI-generated code), a 451% surge in malicious npm packages, 495 malicious models on Hugging Face, 969 malicious AI agent skills, and the emergence of developer tooling as a major attack surface (56 malicious OpenVSX extensions). The report analyzes vulnerability types, exploitability rates, and high-profile CVE impacts, highlighting how volume-based triage is failing while classic web vulnerabilities like XSS and SQL Injection are surging.

“How Organizations Apply Security Efforts Today” examines current practices and gaps. It evaluates sourcing restrictions, scanning effectiveness, visibility across pipelines, the new governance blind spot in developer tooling and MCP servers, and the real cost of these efforts. The section underscores the mismatch between threat growth and control coverage.

The dedicated “The AI Model and Agent Factors” section is particularly relevant for governance teams. It explores how organizations consume AI/ML models, govern model artifacts, manage AI inputs/outputs, assess trust in AI-suggested security fixes, and detect shadow AI. It highlights the tension between rapid adoption and immature governance for agentic systems.

Overall, the report combines hard platform data, vulnerability research, and survey insights to move beyond surface-level statistics. It translates raw numbers into actionable priorities for risk prioritization, strategic investment, and board-level justification, with a consistent focus on the growing “illusion of mastery” in AI supply chain governance.