Open Source Bugs Spike 107%, AI Blamed
A 2026 analysis found a 107% surge in open source vulnerabilities since 2024. A Security Weekly podcast attributed the spike in part to "AI coding assistants that generate larger, more complex codebases with more bugs," amplifying supply chain security risks.
The 2026 Black Duck OSSRA report, which analyzed 947 commercial codebases, revealed the average application now contains 581 open-source vulnerabilities, a figure that more than doubled in a single year. This surge correlates with a 74% increase in the number of files and a 30% rise in open-source components per codebase, driven by the widespread adoption of AI development tools. Independent research validates the risks associated with AI-generated code. A 2025 study by CodeRabbit found that pull requests involving AI contained 1.7 times more issues on average than those written solely by humans. Specifically, security vulnerabilities appeared up to two times more often, while logic and correctness issues rose by 75%. AI coding assistants are not just introducing more bugs, but different kinds. While they have been shown to reduce simple syntax errors by 76%, they simultaneously cause a 322% increase in privilege escalation paths and a 153% spike in architectural design flaws. These "timebombs" are often subtle and missed by traditional scanners and human review of massive, AI-generated pull requests. This amplification of vulnerabilities directly impacts the software supply chain, where 65% of organizations reported experiencing an attack in the past year. The problem is compounded by the reliance on outdated dependencies, with 93% of codebases containing open-source components that have seen no development activity in over two years, effectively becoming "zombie components." The vulnerabilities AI assistants introduce are often common and dangerous. Studies of LLM-generated code show a high frequency of classic flaws like missing input validation (CWE-20), SQL injection (CWE-89), and OS command injection (CWE-78). These models, trained on vast public repositories, inherit and replicate insecure coding patterns found in their training data. In Europe, this surge in software risk intersects with evolving regulation. While the EU's AI Act establishes a risk-based compliance model, the associated AI Liability Directive proposal was withdrawn in late 2025. This leaves liability for AI-induced damages to be governed by existing national laws and the new Product Liability Directive, creating a complex legal landscape for software providers.
