eCommerceNews India - Technology news for digital commerce decision-makers
India
Indian firms lag on software supply chain security
Malware DevOps Digital Transformation

Indian firms lag on software supply chain security

Mon, 25th May 2026 (Today)
Sofiah Nichole Salivio
SOFIAH NICHOLE SALIVIO News Editor

JFrog has published research highlighting major gaps in software supply chain security among Indian organisations. The study found that 65% lack malicious package detection.

It also found that 71% do not use container security, while many development and security teams are spending more time checking AI-generated code. Indian organisations are among the most active users of AI tools in software development, even as security controls lag behind.

Across the wider software landscape, malicious npm packages rose 451% year on year to more than 171,000 unique instances. npm also overtook Maven as the most-used enterprise ecosystem for the first time, amid supply chain attacks that included the self-replicating Shai-Hulud worm.

Those shifts matter in India because organisations appear to have weaker defensive coverage across several areas measured in the study. The findings point to exposure not only from open-source software packages, but also from AI models and developer tools that are becoming part of everyday engineering workflows.

AI workload

One of the clearest changes highlighted in the research is the effect of generative AI on engineering teams. According to the study, Indian DevSecOps teams now spend 51% of their time reviewing and hardening AI-generated code, reflecting a type of work that did not exist two years ago.

The figures suggest AI has shifted effort rather than reduced it. Instead of removing manual work, the tools are creating a new burden around validation, code review and security checks before software can be used in production.

Engineers also appear cautious about relying on machine-generated output. The study found that 53% of Indian engineers treat AI-generated code only as a starting point and review everything before use, while another 11% rewrite the suggested fix entirely from scratch.

Trust gap

That caution contrasts with how leaders assess governance and visibility. While 97% of organisations reported certified AI model governance, only 59% of IT leaders said they had full provenance visibility, and 48% still need a week or more to produce audit-ready proof.

The numbers suggest a gap between formal governance claims and the ability to document the origin and handling of software and AI assets quickly. In regulated sectors and large enterprises, that delay can create practical problems during internal reviews, procurement checks and incident response.

Another area of concern is unsanctioned use of AI tools inside developer environments. India leads the regions surveyed in automated shadow AI detection at 60%, but that still leaves 40% of organisations without an automated way to identify unauthorised AI tools.

Expanding surface

The research also points to a broader shift in the makeup of the software supply chain. According to JFrog, 58% of all new software packages in the last year came from Hugging Face, totalling 1.4 million new artefacts and making model registries the largest single input to the software supply chain.

That matters because software teams are no longer dealing only with libraries and containers from traditional open-source repositories. They are also pulling in AI models, datasets and related components that may not be vetted to the same standard, widening the number of possible entry points for attackers.

Sudhir Narla, General Manager for JFrog India and VP of Customer Success, commented on the findings: "AI is accelerating how software is built, but it is also expanding the potential attack surface and increasing vulnerabilities.

"We're seeing a shift from isolated vulnerabilities to systemic risk across the entire software supply chain. Indian organisations will need to move beyond traditional security approaches and rethink how they establish trust in increasingly AI powered, automated environments," he said.

JFrog's findings add to growing concern in the technology sector over software supply chain attacks, where malicious code, compromised maintainer accounts and tampered packages can spread through widely used development ecosystems. With Indian organisations adopting AI quickly while many still lack basic package and container protections, the report suggests pressure on security teams is likely to remain high.

One of the study's most striking findings is that 40% of Indian organisations still have no automated way to detect shadow AI tools operating inside their developer environments.

Image: Sudhir Narla, General Manager for JFrog India, and VP of Customer Success, JFrog
Related stories
JFrog unveils MCP registry to secure AI coding agents
Leading security in the AI era: Why CISOs must secure AI while using AI to secure the enterprise
JFrog names Genefa Murphy CMO to drive AI era growth
Google Cloud launches Gemini Enterprise Agent Platform
AppOmni adds Heisenberg mode after LiteLLM supply attack
Top stories
Oppo launches Find X9s & Ultra smartphones in India
Accelya wins IATA recognition across airline retailing
RedotPay adds USD account to multi-currency wallet
Lenskart launches Gemini AI smart glasses in India
Reolink marks 17 years with up to 54% off security gear