According to www.dqindia.com, nearly two-thirds of Indian enterprises lack malicious package detection capabilities amid rapid AI adoption, exposing critical software supply chain security gaps.
Widening Security Tooling Deficit
The JFrog 2026 Software Supply Chain Security State of the Union report identifies India as exhibiting some of the most significant software supply chain blind spots among surveyed markets. Approximately 65% of Indian organisations cannot detect malicious packages, while 71% do not use container security tools. These deficiencies persist despite a global surge in threats: malicious npm packages increased by 451% during 2025 — the world’s largest JavaScript package ecosystem now serves as a primary vector for supply chain compromise. In parallel, more than 48,000 new Common Vulnerabilities and Exposures (CVEs) were disclosed globally in 2025 — a 20% increase over 2024.
AI Shifts Effort from Coding to Validation
Contrary to productivity assumptions, AI is reshaping DevSecOps labor allocation rather than reducing it. Indian DevSecOps teams now spend 51% of their time reviewing, validating, and hardening AI-generated code. According to the report, 53% of Indian engineers treat AI-generated code merely as a starting point and review every line before use; another 11% rewrite AI-generated fixes entirely from scratch. This reflects a systemic shift: security burden has moved from software creation to software verification, driven by concerns over AI-introduced vulnerabilities such as cross-site scripting, SQL injection, and missing authorisation controls.
The Illusion of AI Governance
The report documents a sharp divergence between perceived and actual governance maturity. While 97% of organisations report having certified AI model governance programmes, only 59% claim full provenance visibility across production environments. More critically, 48% still require a week or longer to produce audit-ready compliance evidence. In shadow AI management, India leads surveyed regions with 60% automated detection capability — yet 40% of organisations lack any automated mechanism to identify unsanctioned AI tools operating within developer environments.
Model Registries Redefine the Attack Surface
Hugging Face published approximately 1.4 million new AI artefacts in 2025 — accounting for 58% of all new software packages tracked in the study. As model registries become dominant sources of enterprise software components, threat actors have followed. Researchers identified 495 malicious AI models in public repositories containing active payloads capable of credential harvesting, command execution, and reverse-shell activity. They also discovered 969 malicious AI-agent skills designed to exploit developer environments and automation workflows.
Source: www.dqindia.com
Compiled from international media by the SCI.AI editorial team.
