CVE noise drowns out supply chain threats

Black Kite reports that although tens of thousands of CVEs were published in 2025, only a small fraction (58) posed real supply-chain risk; AI is accelerating both vulnerability discovery and attacker exploitation, often before public disclosure. The article warns that CVE-centric defenses miss supply-chain attacks and cites ReversingLabs' disclosure of 31 malicious @redhat-cloud-services npm packages that delivered an obfuscated credential-stealing payload (targeting AWS, Azure, GCP, Vault, GitHub, npm) which executed during npm install with no CVE assigned, arguing for behavioral/binary analysis and continuous package monitoring to detect threats that vulnerability scanners cannot.