Cybercriminals increasingly target AI tools and platforms used by application development teams. Analysis of 18.2 billion artifacts found 969 AI agent skills with high-impact payloads and 495 malicious AI models on the Hugging Face platform. The OpenVSX registry contained 56 malicious extensions. Forty-one percent of respondents work for organizations actively using AI libraries, averaging 9.3 libraries per organization. A separate survey of 1,508 security and DevOps professionals found 45% experience reviewing and hardening AI-generated code as a major time drain, and 45% review AI code manually. Only 23% treat AI fixes as near-definitive, while 63% treat AI suggestions as starting points requiring careful review. Discovery of long-known vulnerabilities such as CWE-79, CWE-89, and CWE-74 has surged since the rise of AI coding. Fundamental changes to DevSecOps workflows are needed, with security enforcement at developer workstations and CI/CD levels reported by 59% and 58% of respondents.
"Based on an analysis of 18.2 billion artifacts managed via the JFrog Platform, security researchers discovered 969 AI agent skills carrying high-impact payloads in addition to 495 malicious AI models on the Hugging Face platform for hosting open source AI models. Additionally, 56 malicious extensions were also discovered on the OpenVSX registry."
"Nearly half of respondents (45%) said reviewing and hardening AI-generated code is now a major time drain, with an equal percentage of respondents reviewing AI code manually. Conversely, just under a quarter (23%) said they treat AI suggestions for fixing code as near-definitive with minimal review, compared to 63% that understand AI suggestions as starting points requiring careful review."
"In fact, the JFrog report notes that despite vulnerabilities that have been well known for decades, there has been a surge in discovery of CWE-79 (XSS), CWE-89 (SQL Injection), and CWE-74 (Injection) vulnerabilities since the dawn of AI coding."
"The survey, for example, finds that 59% of respondents are trying to enforce security at the developer workstation level, while 58% enforce security at the continuous integration/continuous delivery (CI/CD) level. Another 38% are relying on platform-native security tools."
#ai-security #devsecops #malicious-ai-models #vulnerability-management #secure-software-supply-chain
Read at DevOps.com
Unable to calculate read time
Collection
[
|
...
]