Software supply chains in 2026 are no longer just about open-source libraries and CI pipelines; they now include AI models, agents, containers, and protocol adapters. Recent analyses highlight a surge in risks from AI-driven development, opaque binary artifacts, and autonomous agents accessing internal systems—on top of more “traditional” OSS issues like dependency confusion and maintainer compromise [1][2][3][4].

Fastest-Rising Vulnerability Categories

1. AI and ML Artifact Vulnerabilities

• What’s new:

• AI models and ML artifacts are now first-class supply chain components, but traditional scanners can’t parse or reason about them [1].

• Key risks:

• Deserialization / Pickle injection: Loading certain model formats (e.g., Python pickles) can trigger arbitrary code execution on model load [1].

• Model poisoning and backdoors: Attackers introduce subtle malicious behavior into open-source LLM or model weights that activates under specific inputs [1].

• Unknown provenance: Models trained on opaque data with no verifiable training pipeline; no trustworthy ML “bill of materials” (ML-BOM) [1].

• Why growing fast:

• Explosion of AI model reuse from hubs and registries.

• AI devs frequently pull pre-trained models with minimal vetting.

• Implications:

• Need for MLSecOps (DevSecOps applied to ML): model provenance, signing, ML-BOMs, secure serialization, and scanning of model artifacts [1].

2. AI Agents and Non-Human Identities (“Agentic Governance”)

• Trend:

• Autonomous agents and copilots are writing, modifying, or deploying a substantial share of enterprise code by 2026 [1].

• Risks:

• Agents pulling packages, models, or tools based purely on speed or popularity.

• Lack of identity, logging, and policy for non-human actors (agents behaving like developers but with fewer checks) [1].

• Why it’s accelerating:

• Organizations adopt AI agents faster than they update security controls.

• Regulatory attention is shifting to “who (or what) changed this in production?”

• Mitigations:

• Treat agents as first-class identities: authenticate, authorize, and log every action.

• Enforce repository allow-lists, version constraints, and policy checks for all agent-initiated changes [1].

3. Vulnerabilities in Model Context Protocols and Tooling Bridges

• Context:

• Model Context Protocol (MCP) and similar mechanisms expose internal APIs, databases, and tools to AI agents through “servers” [1].

• New attack surface:

• Poorly governed MCP servers can act like high-privilege backdoors: a single misconfigured tool can grant wide access to sensitive data.

• Specific risks:

• No centralized catalog of MCP servers and their capabilities.

• No global logging or least-privilege enforcement on agent-tool interactions [1].

• Why rising:

• Rapid internal experimentation with AI toolchains; security often bolted on late.

• Defensive direction:

• Discovery and inventory of all MCP servers.

• Per-tool least-privilege grants and comprehensive logging to build a “system of evidence” [1].

4. Advanced Open-Source Dependency Attacks

• Ongoing but intensifying patterns:

• Dependency confusion: Attackers publish malicious packages with names that override or mimic internal ones [1][4].

• Maintainer account compromise: Social engineering attacks to take over popular packages, inject trojans, and let them sit dormant before activation [1].

• Recent evolutions:

• Long-dormant implants and highly targeted campaigns using trusted, signed artifacts [1].

• Increased obfuscation and polymorphism in malicious dependencies, aided by AI tools [4].

• Why still accelerating:

• Most orgs still implicitly trust “popular” packages.

• Transitive dependency trees are getting deeper and more complex.

• Mitigations gaining traction:

• Curation-first: Block or quarantine risky components at ingestion (e.g., “young” packages, unmaintained, or from untrusted publishers) [1].

• Enforce signing and provenance for inbound packages.

5. The “Binary Gap” and Build-Pipeline Tampering

• Problem:

• Security posture focuses on source; many attacks now happen between source and production (in CI pipelines, compilers, packaging, container builds) [1].

• Risks:

• Malicious changes in build steps or injected into binary artifacts (e.g., JARs, wheels, container images).

• Unsigned or unverifiable binaries; no traceable chain of custody [1].

• Why rising:

• Higher adoption of remote build services and complex build graphs; more points to compromise.

• Mitigation direction:

• Single, governed binary repository.

• Cryptographic provenance (SLSA-level attestations) and “sign everything” for critical artifacts [1].

6. Static SBOM “Decay” and Stale Governance

• Issue:

• Many organizations treat SBOMs as one-time documents, but components keep changing and gaining new CVEs [1][2].

• Vulnerability:

• Temporal decay: SBOMs quickly become obsolete; real exploitable exposure diverges from documented state.

• Why it’s a growing problem:

• Regulation is pushing SBOM adoption, but not all orgs are making them dynamic or integrated with live threat intel [1][3].

• Emerging best practice:

• “Living SBOMs” integrated into build and runtime, enriched with real-time vulnerability and exploit likelihood data (e.g., EPSS, reachability) [1].

Counterarguments and Context

• Classical CVEs in OSS libraries are still numerous, but:

• Many are low-impact, non-exploitable in context.

• Industry is shifting toward exploitability + reachability over raw CVSS scores [1].

• Some argue AI agents will also improve security. That’s likely true, but only if governance, logging, and policy keep pace; otherwise agents amplify mistakes and bypass human checks.

Practical Implications

Security leaders in 2026 need to:

• Extend their supply chain scope to AI models, agents, MCP servers, and binaries, not just OSS libs.

• Move from “compliance as documents” to “compliance as a system of evidence”, with immutable logs and attestations for builds and agent actions [1].

• Implement:

• Curation and gating at ingestion.

• Signed artifacts and SLSA-like provenance.

• MLSecOps for AI models.

• Agentic governance and MCP governance as first-class programs.