SUNNYVALE, Calif.--(BUSINESS WIRE)--May 20, 2026--
JFrog Ltd. (Nasdaq: FROG), the Liquid Software company and creators of the JFrog Software Supply Chain Platform, the system of record for trusted software artifacts, binaries, and AI assets today announced the findings of its 2026 Software Supply Chain Security State of the Union report. This year’s report reveals an unprecedented acceleration in enterprise software risk as threat actors expand strikes beyond traditional package registries into AI model registries and developer tooling, creating a blind spot in current software governance frameworks.
This press release features multimedia. View the full release here: https://www.businesswire.com/news/home/20260520126325/en/
"Every enterprise is adding AI to their software supply chain, which is increasing the attack surface for bad actors. Our report shows attackers are no longer just breaching traditional defenses – they are actively weaponizing the trusted models, registries, and agentic tools driving today's AI-powered development. The era of 'scan and hope' is over,” said Shlomi Ben Haim, CEO & Co-Founder, JFrog. “Organizations need a single source of truth that governs every binary, every model, and every AI agent skill from the moment it enters the pipeline to the moment it is deployed in production. This is what JFrog was built to deliver.”
As AI moves from experimentation to a structural force reshaping the software supply chain, organizations are seeing a widening gap between reported security confidence and the risks accumulating in their infrastructure. Drawing on data from 18.2 billion artifacts managed across the JFrog Platform (up 136% year‑over‑year), original vulnerability research by the JFrog Security Research team, and a global survey of 1,508 security and DevOps professionals 1, this report exposes what it calls the “illusion of mastery”, i.e. the growing disparity between perceived security and the reality of mounting supply chain risk.
Key Findings Include:
“The industry is operating with a false sense of security. Vulnerabilities are growing in number, but the real threat lies in threat actors hijacking our CI/CD pipelines and developer tools before code even exists,” said Shachar Menashe, VP of JFrog Security Research. “Moving to automated, platform-native governance is no longer optional – it is the only way to secure the intelligent systems creating, approving, and distributing today’s software.”
“AI has not only changed how software is written; it has also increased the speed and scale at which zero-day vulnerabilities are exploited, and malicious software supply chain attacks are developed and distributed,” said Yoav Landman, CTO and Co-Founder of JFrog. “To stay ahead, organizations need automated governance that curates every software asset entering the organization, whether introduced by agents or developers, and continuously monitors every release that contains those assets. The race is no longer about who discovers a zero-day first, because that information is advertised within minutes. It is about who can fortify their software supply chain at scale to keep their organization secure.”
To explore the full findings of this year’s report and learn how your organization can close the AI governance gap, download the JFrog 2026 Software Supply Chain Security State of the Union. You can also check out ourblog or register to join JFrog Security and developer experts for an upcoming webinar – “The Illusion of Mastery: Bridging the Al Governance Gap in 2026”– detailing the challenges, threats, and necessary actions for securing your software supply chain in the AI era.
Like this Story? Share this on X (a.k.a. Twitter):Malicious #npm packages surged 451%; AI agent skills are now an attack surface; and 97% of orgs claim AI governance while 53% still pull models from public registries where malicious payloads have been found. The AI governance gap is real. Read the @JFrog 2026 Software Supply Chain Security report:https://bit.ly/3PRNzJB.
#DevSecOps #SoftwareSupplyChain #Cybersecurity #AI #governance #DevGovOps
About JFrog
JFrog Ltd. (Nasdaq: FROG), the creators of the unified DevOps, DevSecOps, DevGovOps, and MLOps platform, is on a mission to create a world of trusted software delivery without friction from development to production. Driven by a “Liquid Software” vision, the JFrog Platform is a software supply chain system of record that is designed to power organizations as they build, manage, govern, and distribute secure software with speed and scale. Holistic security features help identify, protect, and remediate against threats and vulnerabilities. The universal, hybrid, multi-cloud JFrog Platform is available as both SaaS services across major cloud service providers and self-hosted. Millions of users and approximately 6,600 organizations worldwide, including a majority of the Fortune 100, depend on JFrog solutions to securely embrace digital transformation in the AI era. Learn more at https://jfrog.com or follow us on X @JFrog.
The AI governance gap is real - and it's coming at a high cost to enterprise organizations. The JFrog 2026 Software Supply Chain Security report shows a 451% surge in malicious npm packages, AI agent skills are a new attack surface; and 97% of orgs claim AI governance while 53% still pull models from public registries where malicious payloads have been found. Read the report to learn earn how to move from reactive patching to a governance-first framework that actually keeps pace with Al speed.
BUNIA, Congo (AP) — Anxious healthcare workers in eastern Congo said Wednesday they are underprotected and undertrained in a rapidly spreading Ebola outbreak of a rare type of the virus in one of the world’s most remote and vulnerable places.
The region has long been threatened by armed groups that control a major city where Ebola cases have now been confirmed, complicating health workers’ catch-up efforts to trace the outbreak.
The World Health Organization, which noted a low risk globally, has said “patient zero” has not been found.
“It’s truly sad and painful because we’ve already been through a security crisis, and now Ebola is here too,” said Justin Ndasi, a resident of Bunia, where the first known death was announced last week after what experts say was a worrying delay in detecting the virus.
Tons of health supplies have been airlifted to Bunia but residents said masks are harder to find and some disinfectants that previously sold for 2,500 Congolese francs (about $1) now cost four times more.
At a treatment center in Rwampara, healthcare workers in protective gear silently handled the bodies of suspected Ebola victims. Families, which traditionally wash deceased loved ones, cried and watched helplessly as workers disinfected them and placed them into coffins for secure burial sites.
The disease struck suddenly, they said, describing a rapid deterioration after symptoms were mistaken for illnesses such as malaria.
“He told me his heart was hurting,” said Botwine Swanze, who lost her son. “Then he started crying because of the pain. ... Then he started bleeding and vomiting a lot.”
The Ebola virus is highly contagious and spreads in the human population through contact with bodily fluids such as vomit, blood or semen. Symptoms include fever, vomiting, diarrhea, muscle pain and at times internal and external bleeding.
WHO has declared the outbreak a public health emergency of international concern, worried over its “scale and speed." The WHO chief in Congo says it could last at least two months.
The rare type of Ebola, known as the Bundibugyo virus, spread undetected for weeks following the first known death while authorities tested for another, more common Ebola virus and came up negative.
Investigations continued into where and when the outbreak started, but “given the scale, we are thinking that it has started probably a couple of months ago," said Anaïs Legand, with WHO's emergencies program.
So far, 51 cases have been confirmed in Congo’s northern provinces of Ituri and North Kivu, and two cases in Uganda, WHO Director-General Tedros Adhanom Ghebreyesus said Wednesday. There are 139 suspected deaths and almost 600 suspected cases.
But "the scale of the epidemic is much larger,” he said.
The London-based MRC Centre for Global Infectious Disease Analysis estimated that cases have been substantially undercounted and that the actual number could already exceed 1,000. “The true magnitude remains uncertain,” it said.
This is Congo’s 17th Ebola outbreak, and the WHO has said the country's health ministry has experienced staff and capacity to respond. Most outbreaks, however, were of the more common Ebola type.
Dr. Vasee Moorthy, a special adviser at WHO, said a vaccine to address Bundibugyo would not be available for at least six to nine months.
Eastern Congo already faced “immense pressure from conflict, displacement and a collapsing health system,” said Dr. Lievin Bangali, senior health coordinator for the International Rescue Committee in Congo, adding that years of underfunding have weakened the response.
The outbreak highlights the effects of the Trump administration’s deep cuts in foreign aid. U.S. Secretary of State Marco Rubio has said the administration set a priority on funding 50 emergency clinics in affected areas. The U.S. pledged to contribute $23 million.
In Bunia, schools and churches remain open while some residents wear masks. Elsewhere in Ituri province, suspected Ebola patients share a ward with others injured or ill at Bambu General Hospital.
A Doctors Without Borders team identified suspected cases over the weekend at Bunia's Salama hospital but found no available isolation ward in the area, said Trish Newport, an emergency program manager.
“Every health facility they called said, ‘We’re full of suspect cases. We don’t have any space.’ This gives you a vision of how crazy it is right now," she said on social media.
In Mongbwalu, where the body of the first known death was taken, the nearby border with Uganda remains open and gold mining continues, said Chérubin Kuku Ndilawa, a civil society leader.
“There’s no panic. People continue with their normal lives, but they’re also starting to spread the word,” said Ndilawa, and noted a lack of public handwashing stations.
There were around 30 Ebola patients at Mongbwalu General Hospital, where a student from the local medical technology institute died on Wednesday, Dr. Didier Pay said.
“The patients are scattered here and there,” said Dr. Richard Lokudu, the hospital’s medical director. “We hope for the proper triage and isolation facilities to be installed today, and if that doesn’t happen, we will be completely overwhelmed.”
They are understaffed and not trained to handle suspected cases, Lokudu said, and added that if confirmed cases surge, “we have no protection.”
In the Ebola-affected city of Goma, where Rwanda-backed M23 rebels are in control, the “situation is complicated,” said Dr. Anne Ancia, WHO's representative in Congo.
A U.S. national who tested positive in Congo arrived in Berlin on Wednesday and was in a special isolation ward where a “comprehensive examination” was underway, German Health Ministry spokesperson Martin Elsässer said.
Elsässer declined to comment on the condition of the patient, who has not been identified by German or U.S. authorities. The ministry later said, without elaborating, that it would take in the patient's wife and three children at the request of U.S. authorities.
A top health official in the Czech Republic said they are receiving an American doctor who was treating Ebola patients in Uganda and who is without symptoms. It was not clear whether any were infected.
Dr. Satish Pillai, incident manager for Centers for Disease Control and Prevention’s Ebola response, told reporters Wednesday that the Americans were being transported in coordination with the U.S. State Department and other agencies. One patient, who is in stable condition, is now being treated in Germany, Pillai said.
Asked whether the White House played a role in the decision to move the Americans to Europe, Pillai said the decision was based on conditions on the ground and the need to mobilize rapidly.
Associated Press writers Jamey Keaten in Geneva; Jean Yves Kamale in Kinshasa, Congo; Wilson McMakin in Dakar, Senegal; Devi Shastri in Milwaukee, WI; Karel Janicek in Prague and Geir Moulson in Berlin contributed to this report.
For more on Africa and development: https://apnews.com/hub/africa-pulse
The Associated Press receives financial support for global health and development coverage in Africa from the Gates Foundation. The AP is solely responsible for all content. Find AP’s standards for working with philanthropies, a list of supporters and funded coverage areas at AP.org.
Family members of people who died of Ebola stand next to coffins at a health center in Rwampara, Congo, Wednesday, May 20, 2026. (AP Photo/Moses Sawasawa)
Red Cross workers carry the body of a person who died of Ebola into a coffin at a health center in Rwampara, Congo, Wednesday, May 20, 2026. (AP Photo/Moses Sawasawa)
Relatives look on as people who died of Ebola are taken from a health center in Rwampara, Congo, Wednesday, May 20, 2026. (AP Photo/Moses Sawasawa)
A woman cries as Red Cross workers carry the coffin of a person who died of Ebola from a health center in Rwampara, Congo, Wednesday, May 20, 2026. (AP Photo/Moses Sawasawa)
World Health Organization (WHO) emergency supplies headed for Congo to combat the Ebola outbreak in Ituri province, seen at Jomo Kenyatta International Airport in Nairobi, Kenya, Wednesday, May 20, 2026. (AP Photo/Andrew Kasuku)
A health worker uses a thermometer to screen a man by the roadside in Bunia, Congo, Tuesday, May 19, 2026. (AP Photo/Moses Sawasawa)
World Health Organization Director-General Tedros Adhanom Ghebreyesus speaks to the media following an emergency committee during a press conference at its headquarters in Geneva, Switzerland, Wednesday, May 20, 2026. (Salvatore Di Nolfi/Keystone via AP)
Aid workers set up an Ebola treatment center in Rwampara, Congo, Tuesday, May 19, 2026. (AP Photo/Dirole Lotsima Dieudonne) Corrects from Bunia to Rwampara
A man sprays a tent at an Ebola treatment center in Bunia, Congo, Tuesday, May 19, 2026. (AP Photo/Dirole Lotsima Dieudonne)
People offload a shipment of more than 15 tons of supplies donated by UNICEF as part of the response to the Ebola virus outbreak at Bunia National Airport in Bunia, Congo, Tuesday, May 19, 2026. (AP Photo/Moses Sawasawa)
People offload a shipment of more than 15 tons of supplies donated by UNICEF as part of the response to the Ebola virus outbreak at Bunia National Airport in Bunia, Congo, Tuesday, May 19, 2026. (AP Photo/Moses Sawasawa)
People offload a shipment of more than 15 tons of supplies donated by UNICEF as part of the response to the Ebola virus outbreak at Bunia National Airport in Bunia, Congo, Tuesday, May 19, 2026. (AP Photo/Moses Sawasawa)
