Orca Security has released its State of Application Security report, which found widespread weaknesses across production software environments in the United States and Europe.
The report analysed aggregated, anonymised telemetry from 1,079 production organisations across software dependencies, CI/CD pipelines, repositories, secrets, infrastructure as code, containers and cloud identity settings. More than 81% of organisations deploy vulnerable dependencies, nearly one-third expose valid secrets in code, 80% lack proper logging in infrastructure as code, and more than 77% leave high- or critical-severity container vulnerabilities unpatched for more than 90 days.
AI Secrets
One of the clearest findings was the exposure of credentials tied to artificial intelligence and machine learning services. The report found that 41.88% of production organisations had leaked AI or ML credentials.
Hugging Face tokens were exposed in 28.49% of organisations, OpenAI credentials in 18.39%, Databricks in 11.92%, and Anthropic in 10.10%. These credentials can provide access to models, training data, inference endpoints and billing systems.
Gil Geron, Chief Executive Officer and Co-Founder of Orca Security, said the findings point to a wider problem in software development practices.
"We are seeing a widening trust gap in modern software. The industry has optimised for speed at the expense of resilience, automating pipelines, dependencies, and AI integrations without hardening the foundations they rely on. The result is software supply chains that are massively interconnected, highly automated, and dangerously fragile," Geron said.
He said the findings also reflect long-running weaknesses that remain unresolved in many organisations.
"Attackers only need one exposed token or one compromised dependency to scale across thousands of victims. When nearly half of organisations are still exposed to Log4Shell years after disclosure, it is clear that the problem is no longer awareness, but accountability. Security must be built into DevOps, not bolted on," he said.
Supply Chain Risk
The report places recent supply chain threats in the context of a shift from isolated compromises to attacks that spread through trusted development tools and package ecosystems. It cites the ShaiHulud 2.0 campaign as an example of self-replicating malware that compromised npm tokens and GitHub credentials to publish more malicious packages.
According to Orca, the campaign affected more than 796 npm packages with more than 20 million weekly downloads and exposed 14,000 secrets across 487 organisations. The report also found that 11.01% of organisations had active malicious packages embedded in production environments.
Older headline vulnerabilities also remain prevalent. The research found that 29.15% of organisations are vulnerable to the React2Shell remote code execution flaw, while 46.20% remain exposed to Log4Shell.
"Attackers understand that compromising a single upstream dependency can cascade into thousands of downstream victims," said Gera Dorfman, Chief Product Officer at Orca Security.
"Supply chain attacks are no longer isolated incidents. They are scalable, automated, and increasingly self-propagating," Dorfman said.
Pipeline Controls
The study also points to persistent weaknesses in software delivery pipelines and code repositories, which have become attractive targets because they can provide access to source code, deployment credentials and other sensitive assets.
Among the organisations analysed, 21.68% maintained overly permissive CI/CD token permissions. The report found that 24.82% of repositories predate GitHub's 2023 default token hardening and may still retain older access settings.
It also found that 26.35% of repositories require no code review before merging, 30.60% do not require signed commits, and 57.87% have IAM users without multi-factor authentication. Recent GitHub Actions compromises showed how unpinned workflows and excessive permissions can turn routine automation into an entry point for attackers.
"These are foundational controls," said Tim Chase, Field CISO at Orca Security.
"When identity, token permissions, and review requirements are weak, the entire software supply chain becomes vulnerable," he said.
The report describes an overall picture in which cloud-native development, AI services and automation have expanded faster than basic security practices. It argues that exposed secrets, weak review controls, vulnerable dependencies and delayed patching remain common in live production environments.
"Modern software delivery has created enormous opportunity, but it has also expanded the attack surface in ways many organizations are still working to manage," Chase said.
"Security must evolve at the same speed as development," he said.