Software Supply Chain attacks are a daily occurrence, and AI is shrinking the gap between attackers and your organization. The ‘Mythos’ leak, alongside recent npm and PyPI mega-attacks, makes one thing clear: now is one of the most exciting times to be in tech - but it’s also a time when we have to really think about how governance, compliance, and enforcement can make AI trustworthy.

JFrog is a leading provider of DevOps and software distribution solutions, offering tools for artifact management, continuous integration, and binary repositories. Developers can learn about software delivery pipelines, artifact management best practices, and CI/CD automation to accelerate their software delivery process and ensure reliable and secure software releases using JFrog's platform.

JFrog

Two major software supply chain attacks hit LiteLLM (PyPI) and Axios (npm) within a week of each other, collectively affecting hundreds of millions of weekly downloads. The attacks exploited CI pipeline credentials and compromised maintainer accounts with sophisticated, pre-staged backdoors. Meanwhile, the median time from vulnerability disclosure to active exploitation has collapsed to near-zero, with ~70% of flaws weaponized before public disclosure. A leaked Anthropic internal document reveals a forthcoming model called 'Claude Mythos' with advanced cybersecurity capabilities, raising concerns about adversarial symmetry: the same AI that helps defenders find vulnerabilities can be used by attackers. JFrog argues that policy enforcement at the point of ingestion — governing packages, dependencies, agent skills, and MCP servers before they enter the pipeline — is the durable answer to this accelerating threat landscape.

AI Models Won’t Pick Sides in the Security War. Governance and Policy Will.