JFrog, a software supply chain company, has released a new report highlighting the alarming rise in security threats due to the expansion of artificial intelligence technology within the software supply chain. The report, released at the KubeCon + CloudNativeCon Europe conferences, underscores several emerging software security threats, evolving DevOps risks, best practices, and increasingly serious security concerns in the AI-driven era. The report indicates a “quad-fecta” of security vulnerabilities threatening the integrity and safety of the software supply chain: Common Vulnerabilities and Exposures (CVEs), malicious packages, secrets’ exposures, and misconfigurations or other human errors.
The JFrog Security Research Team detected 25,229 exposed secrets or tokens in public registries, up 64% year over year, with 27% still active. The report also highlights the proliferation and associated risks of AI and machine learning (ML) models. In 2024, over 1 million new models and datasets were added to Hugging Face, the largest repository of public machine learning models, alongside a 6.5 times increase in malicious models.
Although organizations increasingly create certified lists of approved models, 37% still rely on manual efforts to curate these lists, raising concerns about the accuracy and consistency of model security. Binary scanning, the process of analyzing compiled software for vulnerabilities and malicious code, is lacking.
Rising ai-driven security vulnerabilities
Only 43% of IT professionals reported that their organizations apply security scans at both the code and binary levels, a decline from 56% in 2023. This suggests that the fundamental security practice of binary scanning may be overlooked or intentionally neglected despite growing threats. Open-source security issues persist, with over 70% of developers continuing to download packages directly from public registries—a risky practice that can expose entire organizations through a single compromised machine.
This is compounded by a rise in critical software vulnerabilities, with over 33,000 new CVEs disclosed in 2024, up 27% year-over-year. The report also raises concerns over CVE scoring accuracy, noting that only 12% of CVEs rated as “critical” were actually exploitable. Multiple security tools may contribute to increased complexity and risk, with about 73% of professionals reporting the use of seven or more security tools.
This suggests that a more streamlined and focused approach might offer better protection. The full report sheds light on the urgent need for organizations to reevaluate and strengthen their software supply chain security practices in the face of rising AI-related threats. As Yoav Landman, CTO and Co-Founder of JFrog, stated, “For organizations to thrive in today’s AI era, they should automate their toolchains and governance processes with AI-ready solutions, ensuring they remain both secure and agile while maximizing their innovative potential.
Johannah Lopez is a versatile professional who seamlessly navigates two worlds. By day, she excels as a SaaS freelance writer, crafting informative and persuasive content for tech companies. By night, she showcases her vibrant personality and customer service skills as a part-time bartender. Johannah's ability to blend her writing expertise with her social finesse makes her a well-rounded and engaging storyteller in any setting.
