RL SSCS Report 2026: 5 key takeaways

ReversingLabs' Software Supply Chain Security Report 2026 reviews 2025’s escalation in software supply-chain threats: a >100% increase in malicious npm packages (10,819 detections) including the Shai-hulud self-replicating worm that compromised ~1,000 packages, targeted compromises of popular modules and maintainers, abuse of developer tooling and CI/CD (notably VS Code Marketplace), AI-linked malware distribution via Pickle ML models (nullifAI) on Hugging Face and PyPI, widespread exposure of development secrets, and novel crypto-focused delivery techniques — concluding that organizations must move from implicit trust to continuous validation.