Weak access controls, AI confusion, and the interconnection of business continue to expand Threat.
More than half (56%) of the 400,000 vulnerabilities IBM X-Force tracked in 2025 required no authentication before exploitation. This is revealed in the X-Force 2025 Threat Intelligence Index. The report also highlights the continuing success of infostealer credential theft, pointing to the discovery of 300,000 ChatGPT credentials on the dark web (almost certainly stolen by infostealers).
Clearly, more effective access control is required at the base. But the entire threat ecosystem is being complicated by the complexity of artificial intelligence, which is being used as a force multiplier by attackers. While it can and is being used to provide visibility for defenders, it also complicates other threat areas and increases the overall threat surface.
AI helps attackers find weak access points; it provides compelling deepfakes that assist in the theft of credentials as well as performing immediate scams. And defensive use of agentic AI can also be harnessed by attackers. If credential theft gains API keys into in-house agentic AI, the blast radius of a compromise expands beyond the traditional data theft to potential control of the whole system.
X-Force also notes a fourfold increase in supply chain or third party breaches over the last five years. This is continuing. “I think the Shai-Hulud NPM compromise from last year was a big one that really opened organizations’ eyes to this particular threat,” Michelle Alvarez, manager at X-Force Threat Intelligence, told SecurityWeek.
“We’ve been talking about supply chain attacks and their significance for several years now,” she continued. “And I was quite surprised how many major supply chain compromises we saw last year.”
The report writes, “Adversaries increasingly exploited developer trust and identity integrations to steal credentials, pivot into cloud environments and maintain persistence across interconnected systems. Sprawling third party dependencies create hard to secure attack surfaces – where one weak link can expose many targets. Once largely confined to nation state actors, these supply chain attack techniques are now being adopted by financially motivated and other criminal threat groups, reflecting a clear trickle down of advanced tactics.”
[ Learn More at SecurityWeek’s Supply Chain Security Virtual Summit ]
This introduces another related element to the mix – the continuing blurring between financially-motivated criminals and elite state-sponsored attackers. Criminals are using more advanced techniques, but they largely remain smash-and-grab merchants: get in, steal for monetary gain, and get out quickly. State actors are espionage-motivated: enter quietly, lay low, persist as long as possible, and exfiltrate information quietly.
“This is a parallel theme to everything else,” commented Alvarez. “The importance here is that ‘blurring’ means you don’t see it – you don’t know what you’re defending against. You may detect some commonly used commodity malware, assume a criminal attack, nullify the malware and think everything is fine. But if it’s a nation state, they may remain hidden for a very long time.”
The importance of the report, she says, is that it counters a natural tendency to look at specific threats in isolation. “It’s when we start to look across the different and parallel trends, that we really start to see the big picture.”
Understanding the threat is important, but not helpful without a solution. Alvarez effectively mirrors Sun Tzu’s approach: ‘If you know the enemy and know yourself, you need not fear the result of a hundred battles.’
“When we speak to clients,” she said, “we think about what industry they are in, where are they operating geographically, what is their attack surface. Each organization has a role in identifying their own critical infrastructure and being able to protect that.” Knowing yourself means understanding what you have that the enemy wants, your brand exposure, any credentials being sold on the dark web, your attack surface, what your attack profile looks like, and which threat actors are likely to target you.
Knowing the enemy that is likely to target you is understanding who they are, the footprint they leave, their TTPs, etcetera; and being able to recognize and expel them.
The X-Force threat report helps in this by demonstrating that threats should not be considered in isolation – they are not merely isolated parallel threats but often sequentially linked threats leading to a compromise. Not requiring access authentication bypasses most of the other threats. But even if the door is closed it can be opened by stolen credentials. Stealing credentials and using them is exacerbated by AI, which also increases the threat surface, expands the blast radius, and often allows wider supply chain attacks.
Finding your credentials on the dark web is a signal of a pending attack, facilitated by AI and possibly your own agentic systems, and potentially widening into a large-scale supply chain or third party dependency attack.
Related: Autonomous AI Agents Provide New Class of Supply Chain Attack
Related: Cybercriminals Trade 183 Million Stolen Credentials on Telegram, Dark Forums
Related: New ‘Sandworm_Mode’ Supply Chain Attack Hits NPM
Related: Cyber Insights 2026: Cyberwar and Rising Nation State Threats
