• JFrog’s 2026 Software Supply Chain Security State of the Union report flagged a sharp rise in software supply chain risk as attackers expand from package registries into AI model registries, developer tools, and AI agent workflows.
• Malicious npm packages rose 451% year over year, with 177,000 new malicious packages detected across registries.
• JFrog tracked 969 malicious AI agent skills, alongside 495 malicious AI models on Hugging Face, in a shift toward compromising autonomous tools used to write and deploy software.
• The report counted more than 48,000 new CVEs disclosed in 2025, up 20%, while its analysis found 66% of CVEs reviewed had limited real-world applicability, raising the premium on context-based prioritization.
• A governance gap persisted despite broad claimed adoption: 97% of organizations reported certified model governance, while 53% still self-hosted models from public sources where malicious payloads have been found.

Disclaimer: This news brief was created by Public Technologies (PUBT) using generative artificial intelligence. While PUBT strives to provide accurate and timely information, this AI-generated content is for informational purposes only and should not be interpreted as financial, investment, or legal advice. JFrog Ltd. published the original content used to generate this news brief via Business Wire (Ref. ID: 202605201605BIZWIRE_USPR_____20260520_BW126325) on May 20, 2026, and is solely responsible for the information contained therein.