JFrog — 2026 Supply Chain Report: npm Attacks Up 451%, 495 Malicious AI Models
AI relevance: JFrog's State of the Union report quantifies the AI attack surface within software supply chains — 495 malicious AI models were published to package registries, and AI-driven development is cited as a primary accelerator of the 451% surge in npm attacks.
- Malicious activity on npm registries surged 451% year-over-year, driven by AI-assisted tooling that lowers the barrier for publishing compromised packages at scale.
- 495 malicious AI models were identified across model registries and package indexes — poisoned weights, backdoored fine-tunes, and credential-harvesting inference wrappers.
- The report's survey found that 97% of enterprises overestimate their AI governance coverage, believing they have protections in place for model provenance, dependency verification, and artifact signing when those controls are absent or incomplete.
- AI-driven development accelerates supply chain threats by enabling attackers to rapidly produce convincing, functional packages that pass casual review and exploit developer trust in popular ecosystems.
- Insecure AI tooling — including unverified model downloads, missing SBOMs for ML artifacts, and unauthenticated registry access — creates persistent entry points for compromise.
Why it matters
The npm surge and the 495 malicious AI models are not separate phenomena — they represent the same attack pattern applied to two growing ecosystems. AI agents that automatically install skills, plugins, and models from public registries inherit these supply chain risks without human review. The 97% governance overconfidence figure suggests most organizations are unaware of the gap.
What to do
- Enforce registry allowlists and require artifact signing for any AI model or package consumed by automated agent workflows.
- Integrate model provenance verification into CI/CD — check publisher identity, download origin, and hash integrity before deployment.
- Treat AI governance self-assessments with skepticism; audit actual controls against claimed policies.