IBM has published its 2026 X-Force Threat Intelligence Index, highlighting a significant rise in cyberattacks driven by artificial intelligence (AI) and the exploitation of basic security gaps. The report shows that attacks starting with the exploitation of public-facing applications have increased by 44%. This trend is largely attributed to missing authentication controls and the use of AI tools that allow attackers to find vulnerabilities more quickly.
The study found a notable increase in ransomware and extortion groups, which surged by 49% year over year. Publicly disclosed victim counts also rose by about 12%. Large-scale supply chain and third-party compromises have nearly quadrupled since 2020, as attackers increasingly target environments where software is developed or deployed, including SaaS integrations. Vulnerability exploitation was identified as the leading cause of attacks, accounting for 40% of incidents observed by IBM X-Force in 2025.
“Attackers aren’t reinventing playbooks, they’re speeding them up with AI,” said Mark Hughes, Global Managing Partner for Cybersecurity Services at IBM. “The core issue is the same: businesses are overwhelmed by software vulnerabilities. The difference now is speed. With so many vulnerabilities requiring no credentials, attackers can bypass humans and move straight from scanning to impact. Security leaders need to shift to a more proactive approach, using agentic-powered threat detection and response to identify gaps and catch threats before they escalate.”
The report points out that infostealer malware led to the exposure of over 300,000 ChatGPT credentials in 2025. This suggests that AI platforms now face similar credential risks as other enterprise SaaS solutions. Compromised chatbot credentials introduce unique risks such as manipulation of outputs, data exfiltration, or injection of malicious prompts. IBM emphasizes the importance of assessing AI adoption across enterprises and enforcing strong authentication measures.
In addition, there was a marked increase in active ransomware groups during 2025 compared to the previous year. Smaller operators are complicating attribution due to their low-volume campaigns. The lowered barriers to entry are being fueled by leaked tools and established attack methods reused among threat actors. As multimodal AI models advance, adversaries are expected to automate more complex tasks like reconnaissance and advanced ransomware operations.
Supply chain pressures continue to grow as well. Since 2020, large supply chain or third-party compromises have increased nearly fourfold due mainly to attacks on trust relationships and CI/CD automation within development workflows and SaaS integrations. The use of AI-powered coding tools is accelerating software creation but sometimes introduces unvetted code into these pipelines.
The report also notes that tactics once used primarily by nation-state actors are now being adopted by financially motivated groups as techniques spread through underground forums and AI makes reconnaissance easier.
Other findings from IBM’s research include:
– Attackers are leveraging AI for faster research, data analysis, and real-time adaptation of attack strategies.
– North Korean IT worker schemes utilize AI for scaling operations such as image manipulation for synthetic identities.
– Persistent weaknesses remain in credential hygiene and software configuration according to X-Force Red penetration tests.
– Manufacturing remains the most targeted sector for the fifth consecutive year, accounting for 27.7% of incidents observed.
– North America became the most-attacked region for the first time in six years, representing 29% of total cases observed—an increase from 24% in 2024.
The full details can be found in IBM’s official report.
