JFrog Ltd. the Liquid Software company and creators of the JFrog Software Supply Chain Platform, the system of record for trusted software artifacts, binaries, and AI assets, today released its 2026 Software Supply Chain Security State of the Union, a global study examining how organizations are building, securing, and managing software in an increasingly AI-driven economy. The findings reveal that Indian organisations are among the most AI-active in the world, but critical gaps in malicious package detection, container security, and secrets scanning leave them exposed as attackers weaponise AI models, compromise developer tooling through stolen maintainer credentials, and infiltrate open-source ecosystems at unprecedented scale.
Last year was the most dangerous on record for software developers globally, wherein malicious npm packages surged 451% year-over-year to more than 171,000 unique instances. npm overtook Maven as the most-used enterprise ecosystem for the first time, and a wave of npm supply chain attacks, including the self-replicating “Shai-Hulud” worm. For India, where defensive tooling lags significantly, that exposure is especially acute.
“AI is accelerating how software is built, but it is also expanding the potential attack surface and increasing vulnerabilities,” said Sudhir Narla, General Manager for JFrog India, and VP of Customer Success. “We’re seeing a shift from isolated vulnerabilities to systemic risk across the entire software supply chain. Indian organisations will need to move beyond traditional security approaches and rethink how they establish trust in increasingly AI powered, automated environments.”
Key Findings from the Report:
● India Has the World’s Largest Software Security Blind Spots: 65% of Indian organisations lack malicious package detection and 71% don’t use container security. With a 451% surge in malicious packages for npm – the largest enterprise ecosystem – this lack of adequate tooling puts India’s enterprise infrastructure at risk.
● DevSecOps Teams Are Drowning in AI Validation: Indian teams now spend 51% of their time reviewing and hardening AI-generated code, a responsibility that didn’t exist two years ago. AI hasn’t reduced work; it has shifted the burden from writing code to validating it, while security tooling lags.
● Engineers Don’t Trust the Code AI Writes: 53% of Indian engineers treat AI generated code only as a starting point, reviewing everything before use, while a further 11% rewrite the fix entirely from scratch. The skepticism on the ground stands in sharp contrast to leadership confidence.
● A Dangerous Confidence Gap Between Leadership and the Front Line: 97% of organisations claim certified AI model governance, yet 59% of IT leaders report full provenance visibility, but 48% still need a week or more to produce audit-ready proof.
● Shadow AI Remains Largely Unchecked: India leads surveyed regions on automated Shadow AI detection at 60%, but that still means 40% of Indian organisations have no automated way to catch unsanctioned AI tools operating inside their developer environments.
● The Attack Surface Has Fundamentally Changed: 58% of all new software packages in the last year came from Hugging Face, totaling 1.4 million new artifacts and making model registries the largest single input to the software supply chain. At the same time, these unvetted AI models can carry live payloads, increasing organizations’ risk of a live attack.
To explore the full findings of this year’s report and learn how your organization can close the AI governance gap, download the JFrog 2026 Software Supply Chain Security State of the Union. You can also check out our blog or register to join JFrog Security and developer experts for an upcoming webinar detailing the challenges, threats, and necessary actions for securing your software supply chain in the AI era.