A new global report by JFrog has revealed significant security and governance gaps in India’s software supply chain ecosystem, even as organisations rapidly expand AI-driven development and DevSecOps adoption.
The company’s 2026 Software Supply Chain Security State of the Union report indicates that Indian enterprises are among the world’s most active adopters of AI-enabled software engineering practices, but many lack foundational safeguards needed to secure increasingly automated development environments.
One of the report’s most critical findings is that 65% of Indian organisations lack malicious package detection capabilities, while 71% do not deploy container security tools, leaving enterprise software environments vulnerable to supply chain attacks targeting open-source ecosystems and AI-driven development pipelines.
The report comes amid a sharp increase in software supply chain attacks globally. According to the findings, malicious npm packages surged by 451% year-on-year, with over 171,000 malicious instances detected, highlighting the growing industrialisation of attacks targeting developer ecosystems and package repositories.
A major trend identified in the study is the operational impact of generative AI on software engineering. Indian DevSecOps teams now reportedly spend 51% of their time validating and securing AI-generated code, reflecting how AI has shifted the software lifecycle from code creation towards continuous verification and governance.
The report also reveals growing distrust among engineers towards AI-generated outputs. More than half of Indian developers surveyed said they treat AI-generated code only as a starting point and conduct full reviews before deployment, while some teams reportedly rewrite AI-generated fixes entirely due to security and reliability concerns.
Another key challenge highlighted is the emergence of AI governance blind spots. While many enterprises claim to have AI governance frameworks in place, the report found significant gaps in audit readiness and provenance visibility, suggesting that governance maturity often lags behind AI adoption.
The study also points to the rapid rise of model registries and AI artefacts as new software supply chain attack surfaces. Platforms such as Hugging Face have become major sources of software artefacts, with AI models increasingly integrated directly into enterprise applications. However, these models can potentially contain malicious payloads, creating a new category of software supply chain risk.
Additionally, the report highlights the persistence of Shadow AI environments, where unsanctioned AI tools are used within developer workflows without central oversight. Although India leads surveyed regions in automated Shadow AI detection, a significant portion of organisations still lack mechanisms to monitor or control unauthorised AI usage.
According to Sudhir Narla, enterprises are moving from isolated vulnerability management challenges towards broader systemic risks spanning AI models, open-source ecosystems, developer tooling, and automated software delivery pipelines.
Overall, the report underscores a broader transformation underway across enterprise software engineering—where AI is dramatically accelerating development velocity, but simultaneously creating a more complex and continuously expanding software supply chain attack surface that requires AI-native governance, real-time validation, and integrated DevSecOps security architectures.