Orca Security Report Reveals Widespread AI Credential Leaks and Persistent Log4Shell Exposure

PORTLAND, Ore.--(BUSINESS WIRE)--Orca Security, the pioneer in agentless cloud security, today released its 2026 State of Application Security Report, finding that while organizations are accelerating cloud-native development and AI adoption, security maturity is not keeping pace. The overall takeaway is clear: modern software ecosystems are expanding faster than the foundational controls designed to protect them, creating systemic risk across the application lifecycle.

The findings reveal a consistent gap between development velocity and security maturity. More than 81% of organizations deploy vulnerable dependencies, nearly one-third expose valid secrets in code, 80% lack proper logging in infrastructure as code, and over 77% leave high or critical container vulnerabilities unpatched for more than 90 days. As supply chain attacks grow more sophisticated and AI credential leaks introduce new risk, organizations face an expanding attack surface that demands stronger foundational controls embedded directly into the software lifecycle.

“We are seeing a widening trust gap in modern software. The industry has optimized for speed at the expense of resilience, automating pipelines, dependencies, and AI integrations without hardening the foundations they rely on. The result is software supply chains that are massively interconnected, highly automated, and dangerously fragile,” said Gil Geron, CEO + Co-Founder of Orca Security. “Attackers only need one exposed token or one compromised dependency to scale across thousands of victims. When nearly half of organizations are still exposed to Log4Shell years after disclosure, it is clear that the problem is no longer awareness, but accountability. Security must be built into DevOps, not bolted on.”

The AI and ML Secrets Crisis

The rapid adoption of AI services has introduced a new and fast-growing attack surface. Orca’s analysis shows that 41.88% of production organizations have leaked AI or ML credentials. Hugging Face tokens were exposed in 28.49% of organizations, followed by OpenAI credentials in 18.39%, Databricks in 11.92%, and Anthropic in 10.10%.

Unlike traditional API keys, AI credentials often grant access to proprietary models, training data, inference endpoints, and usage-based billing systems. A single exposed token can lead to intellectual property theft, data poisoning, or runaway compute costs.

Supply Chain Attacks Enter the Self-Replicating Era

The report highlights the rapid evolution of software supply chain threats, from SolarWinds to the 2025 ShaiHulud campaigns.

ShaiHulud 2.0 introduced self-replicating supply chain malware that automatically compromised npm tokens and GitHub credentials to publish additional malicious packages. The campaign impacted more than 796 npm packages with over 20 million weekly downloads and exposed 14,000 secrets across 487 organizations.

The research also found:

• 29.15% of organizations are vulnerable to the React2Shell RCE vulnerability
• 46.20% remain exposed to Log4Shell years after disclosure
• 11.01% have active malicious packages embedded in production environments

“Attackers understand that compromising a single upstream dependency can cascade into thousands of downstream victims,” said Gera Dorfman, Chief Product Officer at Orca Security. “Supply chain attacks are no longer isolated incidents. They are scalable, automated, and increasingly self-propagating.”

CI/CD and Repository Gaps Expand the Attack Surface

CI/CD pipelines and source code management systems have become high-value targets for attackers. Compromising a pipeline provides direct access to source code, secrets, and deployment credentials.

Orca’s research reveals persistent weaknesses across modern development workflows:

• 21.68% maintain overly permissive CI/CD token permissions
• 24.82% of repositories predate GitHub’s 2023 default token hardening and may retain legacy access settings
• 26.35% require no code review before merging
• 30.60% do not require signed commits
• 57.87% have IAM users without MFA

As demonstrated by recent GitHub Actions supply chain compromises, unpinned workflows and excessive permissions can rapidly turn trusted automation into an attack vector.

“These are foundational controls,” said Tim Chase, Field CISO at Orca Security. “When identity, token permissions, and review requirements are weak, the entire software supply chain becomes vulnerable.”

Organizations have embraced cloud-native development, AI services, and automated pipelines, but foundational security practices have not consistently kept pace. Vulnerable dependencies, exposed secrets, weak pipeline controls, and long-lived critical vulnerabilities remain common across production environments. Supply chain attacks and AI credential leaks further demonstrate how quickly trust relationships embedded in dependencies and automation can be exploited as software ecosystems grow in complexity.

“Modern software delivery has created enormous opportunity, but it has also expanded the attack surface in ways many organizations are still working to manage,” said Chase. “Security must evolve at the same speed as development.”

The 2025–2026 State of Application Security Report analyzes aggregated, anonymized telemetry from 1,079 production organizations across the United States and Europe, collected between Q3 2025 and Q1 2026. Spanning software dependencies, CI/CD pipelines, repositories, secrets, infrastructure as code, containers, and cloud identity configurations, the data reflects real-world production security posture across industries and organization sizes.

The full 2025–2026 State of Application Security Report is available for download at: https://orca.security/lp/2026-state-of-application-security-report/

About Orca Security

Orca enables organizations to make cloud security a strategic advantage. With the most comprehensive coverage and visibility across multi-cloud environments, the agentless-first Orca Platform unites teams to eliminate complexities, vulnerabilities, and risks - including the attack surface introduced by AI. Orca’s Security for AI secures your models, training data, and AI pipelines, while Orca AI accelerates detection, investigation, and response across your entire cloud environment. Backed by Temasek, CapitalG, ICONIQ Capital, Redpoint Ventures and others, Orca is trusted by hundreds of organizations, including SAP, Gannett, Autodesk, Lemonade and Digital Turbine. Connect your first account in minutes: https://orca.security or book a personalized demo.