Global News & Analysis
74% of Organizations Remediate Vulnerabilities Within a Week

A recent report by the Cloud Security Alliance analyzed survey data from nearly 1000 cybersecurity leaders. The report found that nearly half of respondents who experienced a production incident say it involved a previously identified vulnerability. Additionally, 9% of organizations remediate critical or high-severity vulnerabilities in production within 24 hours, while 74% take between one and seven days.
The report also found that organizations in the four-to-seven-day capability were breached by a known vulnerability at a 97% rate, compared to 77% among those who patch within 24 hours.
According to the report, 92% of organizations prioritizing risk identification before deployment experienced a known-vulnerability incident in the past year, while 91% of those who reported they were “very confident” in their organization's AppSec strategy still had a production incident bypass pre-production controls.
The report found that 70% of organizations have AI-powered components in production, yet 82% cannot see AI runtime behavior in real time. Additionally, 73% of respondents would adopt virtual patching that could reliably block production exploits with minimal false positives.
Malicious Cybersecurity Packages Targeting Supply Chains Rose 451%
A report by JFrog analyzed the current state of supply chain security. The report found that malicious npm packages surged 451% year-over-year, with 177K new malicious packages detected across registries in the last year. Attackers are exploiting trust at scale — the “Qix” campaign used just 25 packages to compromise over 2.5 million downloads.
Researchers identified 969 carrying high-impact payloads alongside 495 malicious AI models on Hugging Face and 56 malicious extensions on OpenVSX. Attackers are no longer just targeting code; they are targeting the autonomous tools that write, review, and deploy it.
Over 48,000 new CVEs were disclosed in 2025, a 20% year-over-year increase partially driven by AI-generated code reintroducing decades-old weaknesses, like Injection (CWE-74), which grew 3,110%. Researchers found that 66% of CVEs analyzed had minimal real-world applicability: volume-based triage is noise, while context and applicability become the mission-critical signals.
The report found that 40% of organizations have adopted malicious package detection and secrets detection is active at just 28%. The categories growing fastest in threat volume remain the least covered by existing tooling.
According to the report, 45% of respondents say reviewing and hardening AI-generated code is now a major time drain — proving that AI hasn't eliminated work — it’s merely shifted the burden as threat actors weaponize upstream developer environments and agentic tools.
Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!



.webp?height=200&t=1692281098&width=200)



