JFrog Report Reveals Over 25,000 Exposed Secrets in Public Registries

JFrog Ltd. (Nasdaq: FROG), creators of the JFrog Software Supply Chain Platform, has released its Software Supply Chain State of the Union 2025 report, highlighting growing security threats, DevOps risks, and the urgency for AI-ready solutions.

CTO Yoav Landman commented: “Organizations are rapidly adopting public ML models, but over a third still manage model access manually—introducing risks. To stay secure and agile in the AI era, automation and governance are essential.”

Based on insights from 1,400 professionals across six countries, JFrog customer usage data, and proprietary research, the report underscores major challenges in today’s complex threat landscape.

Key Findings:

• “Quad-fecta” of Software Supply Chain Threats: CVEs, malicious packages, exposed secrets, and misconfigurations. JFrog identified 25,229 exposed secrets in public registries—a 64% year-over-year increase.
• AI/ML as a Growing Attack Surface: Over 1 million new ML models were added to Hugging Face in 2024, along with a 6.5x rise in malicious ones.
• Manual Governance Increasing Risk: 37% of companies still manually maintain their lists of approved ML models.
• Limited Security Scanning: Only 43% scan at both code and binary levels—down from 56% in 2023—leaving blind spots.
• CVEs Rising—and Often Mis-scored: 33,000+ new CVEs were disclosed in 2024 (27% increase), but only 12% of “critical” scores were truly justified, contributing to “vulnerability fatigue” among developers.

Shachar Menashe, VP of Security Research, warned: “Inflated CVE scores create unnecessary panic and disrupt workflows, leading to burnout and wasted effort.”

The report also flags issues like lack of code provenance, unsafe open-source downloads, and “security tool sprawl.”

For the full report and to register for the April 24 webinar, visit:
👉 https://jfrog.com/software-supply-chain-state-of-union/