28 application security stats that matter

**Executive summary:** This report compiles 28 AppSec statistics showing escalating software supply-chain attacks, weaponization of open-source ecosystems, pervasive unpatched and outdated dependencies, widespread leakage of developer secrets, and emerging risks from AI-generated code and unvetted ML models — notable findings include a registry-native worm (Shai-hulud) affecting ~1,000 npm packages and exposing ~25,000 repositories, a doubling of malicious npm packages to ~10,819, high percentages of codebases with vulnerabilities, long remediation times, and widespread use of unvetted third-party and AI components.