JFrog Report Warns: Australian Companies Have Critical Software Governance Blind Spots Amidst Increasing Threat Landscape

Australian organisations lead globally on automated governance enforcement (47%) and self-hosted AI (68%), yet secrets detection and audit readiness gaps reveal the limits of an automation-first approach

Application Security | Reports & Predictions | Threat Intelligence

Posted: Tuesday, Jun 02

KBI.Media
$
JFrog Report Warns: Australian Companies Have Critical Software Governance Blind Spots Amidst Increasing Threat Landscape

JFrog Report Warns: Australian Companies Have Critical Software Governance Blind Spots Amidst Increasing Threat Landscape

SYDNEY, 2 June 2026 — JFrog Ltd (Nasdaq: FROG), the Liquid Software company and creators of the JFrog Software Supply Chain Platform, the system of record for trusted software artifacts, binaries, and AI assets, today released the Australian findings of its 2026 Software Supply Chain Security State of the Union report. While Australia’s automated defences lead the world in traditional package security, organisations are attempting to secure tomorrow’s AI-driven supply chain with yesterday’s tools. By relying on legacy controls that weren’t built for AI models, agentic tools, or machine-generated code, they are leaving massive vulnerabilities exactly where development is moving fastest.

“Australian enterprises have done something most markets are still working toward – they’ve built automated gates across the developer toolchain and brought AI models inside their own infrastructure for sovereign control,” said Sunny Rao, SVP of APAC, JFrog. “But as AI models become supply chain dependencies and agentic tools gain direct access to codebases and credentials, organisations need a single source of truth that governs every artifact – every binary, every model, every IDE extension – from the moment it enters the pipeline to the moment it reaches production. That’s the trust layer Australian organisations need to be secure. Without it, the most automated perimeter in the world still has gaps that attackers can walk through.”

A record-breaking global threat landscape

The JFrog 2026 report shows an unprecedented surge in software supply chain attacks: Globally, 171,592 malicious npm packages were detected in 2025 (up 451% year-over-year), 495 malicious AI models were identified on Hugging Face carrying live payloads, and over 48,000 new CVEs were disclosed (up 20%). For the first time, JFrog also tracked 56 malicious extensions on OpenVSX, the registry used by AI-native IDEs, plus 969 malicious AI agent skills – a new attack vector targeting the autonomous tools that write, review, and deploy code. The 2024–25 Australian Signals Directorate Annual Cyber Threat Report confirms the local stakes: the average cost of cybercrime for Australian businesses surged 50% to $80,850 per incident, with supply chain attack vectors explicitly highlighted as a growing risk.

Built to Block: Where Australia leads

The Australian findings are drawn from 165 local respondents, part of JFrog’s global survey of 1,508 IT professionals across eight countries. On multiple dimensions, Australia’s automation-first approach delivers measurable advantages:

Self-hosted AI sovereignty: 68% of Australian organisations self-host AI models, the highest rate globally, reflecting a strong preference for keeping models inside infrastructure they control.
Developer tooling enforcement: 47% use automated controls to block unapproved IDE extensions and MCP servers – the highest rate of any country surveyed and eight percentage points above the global average.
Highest software provenance visibility: 67% report full visibility into the provenance of software running in production – the highest in APAC and 10 percentage points above the global average.
Fastest open-source package approvals in APAC: 53% get new open-source packages approved within five days, driven by pre-approved curated lists and automated enforcement that removes packages from the manual approval queue entirely.

Where automation falls short, governance blind spots remain

Despite this leadership position, JFrog’s report reveals gaps in Australia’s software supply chain perimeter that align directly with the attack vectors growing fastest globally:

AI-generated code burden: 51% of Australian security teams cite reviewing and hardening AI-generated code as a major time burden – the highest in APAC. Yet 34% of Australian developers treat AI-suggested security fixes as near-definitive, accepting them with only a quick review, a tension that underscores the risk of automation outpacing the governance needed to validate it.
Audit readiness: Despite leading APAC on provenance visibility, 44% of Australian organisations still need a week or more to produce compliance audit proof per application, indicating that visibility and audit-readiness are not the same thing.
Secrets detection: Only 38% have adopted secrets detection – the highest rate in APAC but still meaning nearly two-thirds of Australian organisations are not actively scanning for exposed credentials, API keys, or tokens in their codebases. Globally, JFrog found 17,637 exposed tokens across public repositories in 2025, with 33% of AWS credentials and 87% of Hugging Face tokens still active at the time of discovery.

“Australia is in a uniquely strong position because the hardest part – building the culture and infrastructure for automated enforcement – is already done. What’s needed now is a system of record that extends that discipline to every layer of the supply chain: curating AI models and open-source packages before they reach the pipeline, scanning every artifact for exposed secrets automatically, and using contextual analysis to cut through CVE noise so teams fix what actually matters,” Rao added. “When governance is platform-native rather than bolted on, compliance evidence becomes something the system generates in minutes, not something a team assembles under pressure over weeks. That’s how you turn Australia’s automation advantage into end-to-end protection.”

Report Methodology

The Australian findings are based on 165 respondents who work in organisations with fifty or more employees in the software development team from JFrog’s Q1 2026 survey. The 2026 JFrog Software Supply Chain Security State of the Union combines JFrog Platform usage date, JFrog Security Research vulnerability analyses, and the findings of a commissioned survey of 1,508 full-time security, DevOps, and IT professionals (Jan–Feb 2026) across the US, UK, France, Germany, India, Australia, Spain, and Singapore.

About JFrog

JFrog Ltd. (Nasdaq: FROG), the creators of the unified DevOps, DevSecOps, DevGovOps, and MLOps platform, is on a mission to create a world of trusted software delivery without friction from development to production. Driven by a “Liquid Software” vision, the JFrog Platform is a software supply chain system of record that is designed to power organizations as they build, manage, govern, and distribute secure software with speed and scale. Holistic security features help identify, protect, and remediate against threats and vulnerabilities. The universal, hybrid, multi-cloud JFrog Platform is available as both SaaS services across major cloud service providers and self-hosted. Millions of users and approximately 6,600 organizations worldwide, including a majority of the Fortune 100, depend on JFrog solutions to securely embrace digital transformation in the AI era. Learn more at www.jfrog.com or follow us on X @JFrog.