AI Boom Tests Software Defences Arabian Post

2026-05-23 02:20:44

(MENAFN- The Arabian Post) clearfix">India's rapid AI adoption is exposing weak points in software supply chain security, with enterprises expanding automated development faster than their ability to detect compromised packages, unsafe containers and unverified AI components.

A 2026 software supply chain security assessment shows that about 65 per cent of organisations in India cannot detect malicious packages, while 71 per cent do not use container security tools. The findings underline a widening gap between the speed of AI-led software development and the controls needed to secure code, dependencies, models and deployment pipelines before they reach production systems.

Security teams are facing a more complex threat environment as AI coding assistants, model registries, agent frameworks and machine-learning libraries become embedded in day-to-day software engineering. AI is no longer confined to application features or analytics layers. It is becoming part of the software supply chain itself, influencing how code is written, tested, packaged and deployed.

Enterprises in India have been quick to adopt AI tools to improve developer productivity, reduce repetitive work and accelerate product releases. Yet the same shift has increased reliance on open-source packages, pre-trained models, plug-ins and automated build systems. Each of these components can introduce hidden risks if provenance, integrity and behaviour are not continuously verified.

Global software repositories are now attracting sustained attacks because they provide a direct route into enterprise development environments. Malicious npm packages rose by 451 per cent during 2025, while more than 48,000 new Common Vulnerabilities and Exposures were disclosed worldwide, a rise of about 20 per cent from the previous year.

The pressure on security teams is being amplified by the volume of AI-generated code. Developers in India are spending about 51 per cent of their time reviewing, validating and hardening code produced by AI tools. About 53 per cent treat such output only as a starting point and review every line before use, while 11 per cent rewrite AI-generated fixes from scratch.

See also Vijay surge unsettles Tamil Nadu power base

This shift has altered the economics of software engineering. AI may reduce the time needed to draft code, but it can also transfer effort to verification, testing and security review. Weaknesses such as cross-site scripting, SQL injection and missing authorisation checks can still be reproduced by automated tools, particularly when developers rely on generated code without adequate scrutiny.

Governance is emerging as another area of concern. Nearly 97 per cent of organisations surveyed said they had certified AI model governance programmes, but only 59 per cent claimed full provenance visibility across production environments. About 48 per cent still needed a week or longer to produce audit-ready compliance evidence.

That gap points to a difference between policy and enforceable control. Many enterprises have AI governance frameworks on paper, but fewer can prove where every model, library, container image and software artefact came from, how it changed, who approved it and whether it complies with internal policy.

CERT-In has also warned that software supply chain compromises are increasingly targeting developer tools and trusted repositories. Its April 2026 activity note referred to attacks affecting npm, PyPI, GitHub Actions and container registries, including incidents involving Checkmarx, Trivy, LiteLLM, Axios, Telnyx and npm packages linked to the CanisterWorm campaign. The payloads observed in these attacks included credential harvesting, data exfiltration, remote execution and persistence within developer systems.

Model registries have added another layer to the risk. Around 1.4 million new AI artefacts were published on Hugging Face during 2025, representing 58 per cent of all new software packages tracked in one assessment. Researchers identified 495 malicious AI models in public repositories with active payloads capable of credential theft, command execution and reverse-shell activity, along with 969 malicious AI-agent skills designed to exploit developer environments and automation workflows.

See also Chandrababu Naidu frames quantum drive as sovereign wager

For enterprises in India, the challenge is sharpened by the country's role as a major software engineering and global capability centre hub. Bengaluru, Hyderabad, Pune, Chennai and Gurugram host large engineering teams serving banking, retail, telecoms, manufacturing and cloud services. These centres are increasingly responsible not only for maintenance work but also for product development, AI integration and security-sensitive digital platforms.

Regulatory and customer expectations are also tightening. Buyers are asking for software bills of materials, vulnerability disclosure processes, provenance records and proof that build pipelines are protected. CERT-In's technical guidance on SBOM, QBOM, CBOM, AIBOM and HBOM has emphasised regular updates, vulnerability exploitability exchange documents and staff training around software supply chain visibility.

Security leaders are therefore moving towards stronger controls across development pipelines. These include automated malicious package detection, container image scanning, secrets detection, signed artefacts, dependency pinning, model provenance checks, policy enforcement in CI/CD systems and continuous monitoring of developer environments.

The investment case is becoming harder to ignore. Software supply chain attacks can bypass perimeter defences because they enter through trusted development channels. Once inside, malicious packages can steal credentials, alter builds, move into cloud environments or compromise downstream customers. AI raises the stakes because it can accelerate both legitimate development and attacker experimentation.

MENAFN23052026000152002308ID1111158890

Legal Disclaimer:
MENAFN provides the information “as is” without warranty of any kind. We do not accept any responsibility or liability for the accuracy, content, images, videos, licenses, completeness, legality, or reliability of the information contained in this article. If you have any complaints or copyright issues related to this article, kindly contact the provider above.