Skip to main content
CybersecurityVulnerability Management

Vulnerabilities Remain Unaddressed Despite Swift Remediation Efforts

Cluttered workstation with scattered papers, empty cans, and multiple screens displaying code amidst a sense of urgency.

“Malicious npm packages surged 451% year‑over‑year.”

That stark figure comes from a pair of recent industry studies summarized in a Security Magazine brief. Taken together, the Cloud Security Alliance and JFrog reports sketch a marketplace in which old vulnerabilities resurface, supply‑chain abuse scales rapidly, and the rise of AI both accelerates risk and obscures it from defenders.

Patch timing and production incidents — the Cloud Security Alliance snapshot

The Cloud Security Alliance surveyed nearly 1,000 cybersecurity leaders and found a striking gap between identification and containment. Nearly half of respondents who experienced a production incident said it involved a previously identified vulnerability. Only 9% of organizations remediate critical or high‑severity vulnerabilities in production within 24 hours; 74% take between one and seven days.

The difference in response time mapped to different breach rates: organizations that fell into the four‑to‑seven‑day remediation window were breached by a known vulnerability at a 97% rate, compared with a 77% rate among those who patched within 24 hours. The report also recorded counterintuitive results on pre‑deployment controls: 92% of organizations that said they prioritize risk identification before deployment nonetheless experienced a known‑vulnerability incident in the past year, and 91% of respondents who described themselves as “very confident” in their AppSec strategy still had a production incident that bypassed pre‑production controls.

AI in production: visibility gaps, code‑review burdens, and virtual patching interest

AI is now embedded broadly but not transparently. According to the Cloud Security Alliance, 70% of organizations have AI‑powered components in production, yet 82% cannot see AI runtime behavior in real time. That blind spot accompanies operational strain: 45% of respondents told JFrog that reviewing and hardening AI‑generated code is now a major time drain.

Faced with that reality, defenders are open to defensive workarounds: 73% of respondents said they would adopt virtual patching that could reliably block production exploits with minimal false positives. But the reports also highlight a tooling mismatch — security teams are being asked to police machine‑assisted development without commensurate visibility into what those tools actually do at runtime.

Supply‑chain tactics: Qix campaign, malicious models on Hugging Face, and OpenVSX extensions

JFrog’s analysis documents a rapid escalation in supply‑chain abuse. Malicious npm packages rose 451% year‑over‑year, with 177,000 new malicious packages detected across registries in the last year. The “Qix” campaign is a vivid example: attackers used just 25 packages to accumulate more than 2.5 million downloads.

Researchers also identified 969 items carrying high‑impact payloads alongside 495 malicious AI models on Hugging Face and 56 malicious extensions on OpenVSX. The report warns that attackers are no longer targeting only code; they are targeting the autonomous tools that write, review, and deploy code.

Volume, triage, and applicability: 48,000 CVEs and the signal‑to‑noise problem

JFrog reported over 48,000 new CVEs disclosed in 2025 — a 20% year‑over‑year increase — and attributed part of that surge to AI‑generated code reintroducing decades‑old weaknesses. Injection (CWE‑74) was highlighted as an example, growing 3,110% in the data the researchers examined. Yet researchers judged that 66% of the CVEs analyzed had minimal real‑world applicability, turning sheer volume into noise and making context and applicability “mission‑critical signals” for defenders.

The same supply‑chain analysis shows partial uptake of defenses: 40% of organizations have adopted malicious package detection, and secrets detection is active at just 28%. Those categories growing fastest in threat volume remain the least covered by existing tooling.

What this means for security teams, procurement officers, and open‑source maintainers

  • Security teams and developers — Expect higher workloads. The reports indicate added burden from reviewing AI‑generated code (45%) and the need to prioritize context over volume when triaging thousands of CVEs.
  • Procurement and risk officers — Supply‑chain risk looks systemic. The surge in malicious packages (177K new detections) and campaigns like Qix show that dependency vetting and package screening are becoming core risk controls rather than optional hygiene.
  • Open‑source maintainers and registry operators — The attackers’ pivot to models and tooling (495 malicious models on Hugging Face; 56 malicious OpenVSX extensions) means maintainers must contend not only with malicious packages but with malicious artifacts that operate at the level of automation and CI/CD.

The two reports together deliver a clear if uncomfortable verdict: identification alone is not enough, volume is drowning context, and the tools that sped development are now fraying the boundary between safe and unsafe code. Whether organizations close that visibility gap, speed remediation back toward the 24‑hour band, or invest more heavily in virtual patching and package‑detection technologies will determine how often known vulnerabilities become tomorrow’s headlines.

https://www.securitymagazine.com/articles/102428-74-of-organizations-remediate-vulnerabilities-within-a-week