JFrog report finds AI progress driving new software program provide chain threats

A brand new report out right this moment from software program provide chain firm JFrog Ltd. warns that an enlargement of synthetic intelligence know-how throughout the software program provide chain has resulted in an alarming rise in safety threats.

The discovering comes from JFrog’s 2025 Software program Provide Chain State of the Union, launched to coincide with the KubeCon + CloudNativeCon Europe conferences. The report highlights rising software program safety threats, evolving DevOps dangers, finest practices and more and more severe safety considerations within the AI period.

Key findings within the report embody {that a} “quad-fecta” of safety vulnerabilities is threatening the software program provide chain. The highest safety components affecting the integrity and security of the software program provide chain embody Widespread Vulnerabilities and Exposures, malicious packages, secrets and techniques’ exposures, and misconfigurations and different human errors.

In an instance within the report, the JFrog Safety Analysis Crew detected 25,229 uncovered secrets and techniques or tokens in public registries, up 64% year-over-year, of which 27% had been lively. The more and more subtle and intertwined cloth of software program safety threats make it troublesome for organizations to keep up constant software program provide chain safety.

AI and machine studying mannequin proliferation and assaults had been discovered to be rising. In 2024, there have been greater than 1 million new fashions and datasets added to Hugging Face, the biggest repository of public machine studying fashions, with an accompanying 6.5-times enhance in malicious fashions.

Although publicly uploaded fashions are more and more presenting dangers, organizations manually governing machine studying fashions had been additionally discovered to be rising dangers. Some 94% of organizations create licensed lists of permitted fashions to manipulate how builders use machine studying artifacts, however 37% of firms nonetheless depend on handbook efforts to curate and preserve that record, creating trepidation across the accuracy and consistency of mannequin safety.

Binary scanning — the method of analyzing compiled software program, or binaries, for safety vulnerabilities and malicious code that will not be detectable within the supply code — was discovered to be missing. Solely 43% of data know-how professionals stated their group applies safety scans at each the code and binary ranges, leaving many organizations susceptible to safety threats solely detectable on the binary stage. That’s down from 56% in 2023, indicating that regardless of rising dangers, safety fundamentals similar to binary scanning are both being missed or deliberately not utilized.

Different findings within the report included persistent points with open-source safety. Greater than 70% of builders persevering with to obtain packages immediately from public registries, a dangerous follow that may expose total organizations via a single compromised machine. Moreover, important software program vulnerabilities are on the rise, with greater than 33,000 new CVEs disclosed in 2024, up 27% year-over-year.

The report additionally highlights considerations over CVE mis-scoring, revealing that solely 12% of CVEs rated as “important” had been truly exploitable, elevating doubts about present scoring strategies. Lastly, the rising use of a number of safety instruments — 73% of execs report utilizing seven or extra — could also be contributing to elevated complexity and danger, suggesting {that a} streamlined, extra targeted strategy may provide higher safety.

Picture: SiliconANGLE/Reve