A report published by JFrog finds that cybercriminals are now increasingly targeting the artificial intelligence (AI) tools and platforms used by application development teams.
Based on an analysis of 18.2 billion artifacts managed via the JFrog Platform, security researchers discovered 969 AI agent skills carrying high-impact payloads in addition to 495 malicious AI models on the Hugging Face platform for hosting open source AI models. Additionally, 56 malicious extensions were also discovered on the OpenVSX registry.
The survey also finds 41% of respondents work for organizations that are actively using AI libraries, with organizations on average employing 9.3 AI libraries each. At the same time, a separate global survey of 1,508 security and DevOps professionals conducted by JFrog finds more organizations are struggling to secure code generated by AI coding tools. Nearly half of respondents (45%) said reviewing and hardening AI-generated code is now a major time drain, with an equal percentage of respondents reviewing AI code manually. Conversely, just under a quarter (23%) said they treat AI suggestions for fixing code as near-definitive with minimal review, compared to 63% that understand AI suggestions as starting points requiring careful review.
In fact, the JFrog report notes that despite vulnerabilities that have been well known for decades, there has been a surge in discovery of CWE-79 (XSS), CWE-89 (SQL Injection), and CWE-74 (Injection) vulnerabilities since the dawn of AI coding.
Paul Davis, Field CISO for JFrog, said the report makes it clear that in the age of AI there is a need for fundamental changes to be made to existing DevSecOps workflows that remain uneven at best. The survey, for example, finds that 59% of respondents are trying to enforce security at the developer workstation level, while 58% enforce security at the continuous integration/continuous delivery (CI/CD) level. Another 38% are relying on platform-native security tools.
Regardless of approach, nearly half (48%) are still relying on manual processes, with the same percentage (48%) requiring a week to establish proof of compliance.
Despite that dependency on manual processes, too many organizations are overconfident in their ability to secure DevOps workflows, noted Davis. For example, nearly all respondents (97%) claim their organization has certified model governance and yet more than half (53%) self-host models from sources where malicious payloads have been detected, and 18% have zero governance over their integrated development environments (IDE) or Model Context Protocol (MCP) servers compared to 57% that at least actively curate MCP servers.
Unfortunately, the pace at which attacks are being launched against software supply chains in general only continues to increase. The JFrog report notes, for example, there was a 451% increase in malicious npm packages year-over-year, with 177,000 new malicious packages detected across registries.
Those attacks are going to increase in frequency as adversaries leverage AI to discover and exploit vulnerabilities faster, noted Davis. The challenge is that not all vulnerabilities are necessarily created equal. Two-thirds (66%) of the Common Vulnerabilities and Exposures (CVEs) analyzed by JFrog researchers had minimal real-world applicability. Only 12% were highly exploitable.
While there will undoubtedly be some major incidents in the coming year, most organizations will likely survive the onslaught, noted Davis.
The challenge, of course, is that like it or not the amount of time, effort and cost incurred making sure those incidents are kept to a minimum is now starting to rise.