Software today is built on an ever-expanding mesh of open-source components, third-party libraries, container images, package registries, automated systems, and build services. While this ecosystem accelerates development, it introduces a terrifying reality: a single compromised dependency or an unexpected upstream change can ripple through your entire product stack in minutes.

It has become one of the most critical pillars of modern DevSecOps. When your dependencies are trustworthy, verifiable, and governed correctly, you reduce the risk of malware insertion, dependency confusion, tampering, or upstream failure. Without this foundation, even the strongest supply chain security controls at the application layer won’t matter.

This blog, the first in Cloudsmith’s new series on 

, breaks down what software supply chain integrity actually means, why maintaining it is so challenging, and how frameworks like 

S2C2F (Secure Supply Chain Consumption Framework)

 help organisations implement consistent, secure open-source consumption practices.

Ready to understand where your supply chain security stands? Take our 

Software Supply Chain Maturity Assessment

 refers to the ability to ensure that every component in your software, from source code to dependencies to build artifacts and containers, remains authentic, untampered, verified, and sourced from trusted origins.

Do we fully trust the software we’re using?

Are we confident it hasn’t been altered, compromised, or replaced?

It goes beyond traditional application security. While AppSec focuses on your code, integrity focuses on the 

Where did this software originate? Can we verify the source?

Was it built by who it claims to be built by?

Has anything been modified, injected, or tampered with?

How do we enforce policies around what can (and cannot) enter our supply chain?

Can we rely on the upstream source, or do we have a trustworthy internal copy?

As organizations scale, maintaining this integrity moves from "nice to have" to "mission-critical."

Why supply chain integrity is challenging today?

Modern engineering teams consume thousands of open-source packages and containers from public ecosystems like npm, PyPi, Maven, and Docker Hub. These communities evolve fast, and threat actors have learned to weaponize that speed.

The "trust but verify" model is dead. We are now in a "verify, then trust" era. Here is why the landscape has shifted:

1. Malicious package uploads / Typosquatting

Attackers publish packages with names similar to legitimate ones (e.g., reqeust instead of request) to trick developers or automated tools into installing them. Once installed, these packages often run "post-install" scripts that exfiltrate environment variables or keys.

If you use an internal package name (e.g., my-company-auth) that isn't registered publicly, attackers can register that name on a public registry with a higher version number. By default, many package managers will pull the "latest" version -tricking your build system into downloading the attacker's public malware instead of your private code.

If an open-source maintainer’s credentials are stolen, attackers can modify widely-used packages, injecting backdoors, data exfiltration, or crypto-mining code into thousands of downstream applications instantly.

4. Upstream removal or "Left-Pad" incidents

It’s not always malice; sometimes it’s chaos. A popular OSS package can be unpublished by its author (like the infamous left-pad incident), breaking builds across the globe. If you rely on public registries directly, your pipeline is at the mercy of their uptime.

Malware embedded inside base images, compressed binary artifacts, or build scripts can spread downstream silently and undetected.

This modern threat landscape requires a shift in thinking. It’s not just about using open source securely; it’s about maintaining centralized ingestion, policy enforcement, provenance checks, and continuous monitoring

The pillars of software supply chain integrity

To help teams build strong governance around software dependencies, several core integrity principles have emerged. These align closely with industry standards, such as SLSA (Supply Chain Levels for Software Artifacts) and S2C2F.

Software supply chain integrity relies on a set of proven pillars that help teams control how software is sourced, validated, stored, and consumed. These include:

Never pull directly from the public internet in production builds. Consume OSS and third-party software through a centralized "front door", an artifact repository controlled by your organization. This acts as a firewall for your code, preventing accidental consumption of malicious packages and shielding you from upstream outages.

You cannot secure what you cannot see. A Software Bill of Materials (SBOM) provides a clear inventory of all dependencies, versions, and transitive packages. It's critical for identifying risky components and responding quickly to new vulnerabilities.

Automate detection at the gate. Scanning must happen 

 a package enters your environment. This includes checking for:

Known CVEs (Common Vulnerabilities and Exposures)

 standards. Establish global rules for approved packages, permitted licenses, vulnerability thresholds, and immutability. Governance ensures that developers in Team A and Team B are subject to the same safety standards and regulations.

Verify the origin. Ensuring your binaries match their source code is essential. Provenance checks confirm who built the software, where it was built, what tools were used, and whether the artifact signature matches the builder's key.

To achieve maximal integrity, organizations rebuild OSS packages inside their own trusted environment, signing them and generating SBOMs for each build.

Introducing S2C2F: A framework for supply chain integrity

One of the most practical and widely adopted frameworks for implementing software supply chain integrity is the Secure Supply Chain Consumption Framework (S2C2F).

Originally created by Microsoft in 2019 to secure their massive internal development loops, it was donated to the Open Source Security Foundation (OpenSSF) in 2022. It now serves as the industry standard for how organizations should 

 open-source software (as opposed to SLSA, which focuses on how you 

S2C2F offers eight core principles and four maturity levels to help organizations enhance their approach to consuming open-source software.

 All external artifacts must come through a central, controlled location.

 You must maintain a complete list of all OSS components you use.

 Vulnerabilities must be patched within a defined SLA.

 Developers must be prevented from bypassing secure methods technically.

 You must log and audit all ingestion sources and changes that occur.

 Automated scanning for CVEs and malware is mandatory.

 For high security, rebuild OSS on a trusted infrastructure.

 If a patch isn't available, fork and fix it yourself temporarily.

To keep this focused, we’ll dive deeper into S2C2F, including maturity levels and practical implementation steps, in Part 2 of this series.

1. What is software supply chain integrity?

Software supply chain integrity is the practice of ensuring that every component in your software development lifecycle—dependencies, containers, build artifacts, and scripts—is authentic, verified, tamper-free, and sourced from trusted origins. It answers the question: "Is this code exactly what it claims to be?"

2. Why is software supply chain integrity important?

Modern software relies heavily on third-party and open-source components that can be compromised, removed, or tampered with. Integrity prevents attacks such as dependency confusion, malware injection, and supply chain compromise.

3. What is the difference between SLSA and S2C2F? 

Think of them as two sides of the same coin. SLSA (Supply-chain Levels for Software Artifacts) focuses on securing the 

 process (how you create software). S2C2F (Secure Supply Chain Consumption Framework) focuses on the 

 process (how you consume open-source software). You need both for a complete software supply chain security strategy.

4. How does Cloudsmith prevent dependency confusion attacks?

The most effective way is to use a private artifact repository (like Cloudsmith) that supports "upstream proxying" with namespace protection. This ensures that if an internal package name exists, the build system will never look for it on the public registry, preventing the injection of malicious public packages.

5. How does Cloudsmith support supply chain integrity?

Cloudsmith acts as a secure "supply chain firewall." It allows organizations to centralize OSS ingestion, automatically scan for malware and vulnerabilities, manage SBOMs, enforce license policies, and verify provenance—automating the requirements of frameworks like S2C2F.

What is Software Supply Chain Integrity?

By now it’s clear the use of GenAI tooling like Cursor and Claude has fundamentally changed how code is written. This shift, which we explored in depth in our previous post, moves the security perimeter beyond just the generated code. Today, every engineering team building an AI-native application must equally prioritise securing the AI models and LLMs they pull into their tech stack. This forces us to rethink supply chain security for the AI era.

This post will dive deep into a concrete solution: leveraging Cloudsmith's Enterprise Policy Manager (

) to enforce rigorous security and governance policies on LLMs and datasets sourced from the 

Effective governance hinges on detailed metadata. Cloudsmith addresses this by providing a customised data model specifically for Hugging Face models and datasets. This is the crucial enabler, allowing developers and SecOps teams to write granular policies in 

 that target attributes unique to this package type.

The following examples showcase how EPM policies can be constructed to tackle common, yet critical, supply chain risks associated with adopting LLMs.


Whitelisting trusted publishers to enforce provenance

For mature organisations, time-to-market often depends on leveraging high-quality, pre-vetted artifacts from established entities like 

. Instead of subjecting these known-good sources to redundant policy checks, you can use an EPM policy to create a allowlist.

Create a terminal policy with the highest precedence (

If the model's publisher is on the approved list, the policy immediately sets the package state to '

. All subsequent policies are bypassed, dramatically streamlining ingestion for high-confidence artifacts.

 policy primarily targets packages pulled via a Hugging Face upstream and ignores packages that are pushed directly into Cloudsmith. This ensures reliable traceability, as packages pushed directly to Cloudsmith lack the verified publisher metadata from the Hub.

Blocking Models with Unsafe Files via Security Scans

The concept of a security vulnerability extends beyond traditional CVEs when dealing with LLMs. Models can contain malicious code or file formats. Hugging Face Hub has mitigated this by providing 

Cloudsmith captures this crucial upstream security data and exposes it to EPM. This allows you to write a policy that enforces a zero-tolerance stance on models flagged as unsafe by any of the integrated scanners.

After the policy has been created, associate an 

If a package matches the policy, you can use the decision logs to view the detailed results of the security scan for the package. The 

 will contain the full output of each scanner from Hugging Face.

Hugging Face models and datasets come with 

) for LLMs. It provides essential metadata about the model’s intended use, limitations, and, critically, its training data provenance. To confirm, Model Cards are metadata created by the publisher of a model itself to provide better documentation and transparency about the characteristics of the model. Cloudsmith is able to parse this information and expose it to EPM so you can write policies with this data.

Model Cards currently come in two forms.
One for 

As an example, Hugging Face publishes a language model called 

 section encoded in YAML that states the model was trained on the dataset 

. Perhaps you wish to block models that use this training set.

Imagine an organisation needs to block any model trained using the 

 dataset due to licensing or compliance concerns. The below 

) type to look for that specific training set reference and quarantines the package if a match is found.

In short, this EPM policy example prohibits the use of 

 because its Model Card metadata references a prohibited training dataset.

Mitigating serialisation attacks by blocking risky file formats

This is arguably the most critical security policy for LLM adoption. Many of the file formats used by models and datasets suffer from serialisation attacks. For example, 

 is a popular file format used in Hugging Face models that has well-known exploits. Further, some formats, such as Keras can be securely deserialised but can come with embedded code extensions (eg: 

) that allow for arbitrary code execution. Alternative, safer model file-formats have been developed, such as 

 that do not suffer from these attacks. For background on these attack vectors 

 policy will match models coming from Hugging Face Hub that contain risky formats, such as pickle-based formats or other files such as 

 h5 models. After the policy has been created, associate an 

 necessitates a robust approach to software artifact governance. By combining EPM with the rich metadata of the Hugging Face ecosystem, engineering, security, and operations teams can implement fine-grained, automated, and declarative policies (via Rego) to secure the AI supply chain. This integration ensures that only trusted, compliant, and safe models reach production.

To start building your EPM policies in Cloudsmith, explore our easy-to-follow 

, which provides relevant copy-and-paste code snippets for policy-as-code design. Alternatively, we provide a bunch of other useful 

 for understanding the state of modern software artifact security.

Extend EPM policies to Hugging Face artifacts

The rise of software supply chain attacks isn’t slowing down. While many developers are familiar with typosquatting, a new, AI-driven threat has emerged: slopsquatting (also known as "phantom dependencies"). Last week, Cloudsmith hosted a webinar unpacking the mechanics of these attacks, their real-world impact, and the practical ways engineering teams can defend their development pipelines.

If you missed the live webinar, don’t worry; here’s a recap of the biggest insights, examples of attacks, and expert perspectives shared by our speakers, 

Nigel Douglas (Head of Developer Relations)

What is causing the increased threat from Typosquatting?

Typosquatting has been around for years, but attacks are now increasing rapidly thanks to:

developers relying more on autogenerated code

the ease of publishing look-alike packages in public repositories

As Claire Speedy (Senior Growth Marketing Manager) framed it during the opening:

“These threats are everywhere. If you're shipping software, you can’t afford to ignore them.”

This session explored not just how these attacks occur, but how open-source data sources, security tooling, and artifact management workflows can be used to stop them before they ever reach production.

Understanding typosquatting and slopsquatting attacks

Typosquatting is a cyberattack where malicious actors register package names that are slight misspellings or variations of legitimate ones. The goal is to trick users into installing a deceptive, malicious package.

Visual lookalikes (Character Swaps, misspellings, or reordering):

Attackers register names that look nearly identical to popular packages, relying on cognitive shortcuts. Users,and increasingly AI agents, glance at the text and "autocorrect" the error in their minds.

 Swapping characters, omitting letters, or using "homoglyphs" (characters that look alike).

matplotltib (pretending to be Python's matplotlib)

reqeust (classic persistence, still actively blocked daily)

Soundsquatting (Sound-alike or pronunciation-based variants)

This tactic targets developers who learn package names verbally (e.g., from podcasts, team calls, or YouTube tutorials) or use voice-to-text tools. The package name is spelled differently but sounds identical to the legitimate one.

 Using homophones (words that sound the same) to bypass mental spelling checks.

colors vs colours (exploiting regional spelling differences)

snyk vs snick (phonetic variations of branded tools)

Instead of misspelling a name, attackers append "trust signals" -words like "-official", "-security", or "-plugin" to a legitimate brand name. This tricks developers (and AI models) into believing the package is an official extension of a trusted library.

lodash-js or lodash-plugin (mimicking extensions to lodash)

discord-dev (mimicking official Discord developer tools)

noblox.js-proxy (mimicking the popular noblox.js wrapper)

2. Real-world example: A typosquatted PyPI package

Nigel demonstrated a live example using the OSV (Open Source Vulnerabilities) API, querying a malicious PyPI package called 

, a near-match for the legitimate requests library.

“A typosquat on a popular package… delivering a crypto-miner payload.”

Even if PyPI removes the malicious package hours later, it might still be cached in an internal artifact store or build environment, making retrospective scanning essential.

3. Why this problem exists: The “Wild West” of package ecosystems

Public upstreams like PyPI, npm, and crates.io are intentionally open and permissive - great for innovation, but also beneficial for attackers.New packages are uploaded daily. Manual vetting is almost impossible. That allows malicious typo-squatted packages to accumulate downloads before maintainers can detect and disable them.

Example: a typo-squatted npm package that sat unnoticed for 

 and still collected hundreds of downloads.This is exactly why organizations need to pull dependencies into a controlled platform like 

 instead of sourcing them directly from public registries; it provides an opportunity to scan, quarantine, and validate packages before they reach your developers or pipelines.

4. Introduction to Slopsquatting: The new AI threat

Slopsquatting is the modern evolution of this threat, driven by Generative AI. It occurs when Large Language Models (LLMs) hallucinate plausible-sounding package names that don't actually exist.

Attackers scan these LLM outputs to find "phantom dependencies" - packages that ChatGPT or Copilot 

 exist but don’t. The attackers then register these names on public registries like npm or PyPI.

"AI tools hallucinate nonexistent packages. Attackers register them. Developers copy-paste the code and accidentally install them. It’s a perfect exploitation chain."

 - Liana Ertz, Product Manager at Cloudsmith

Recent research (AI Incident Database) indicates that 

of hallucinated package names in Python and npm were converted into actual malicious uploads in 2023.

In 2024, hallucination rates for package names still range from 

5. Developer behaviour is increasing the risk

Many developers said the majority of their code is AI-generated, and much of it is pushed to production with fewer peer reviews than ever before.

Nigel described this pattern as - he rise of vibe-coding, generating code, trusting it, and shipping it without the right checks. Combined with slopsquatting, this creates a perfect storm for open-source malware infiltration.

6. How Cloudsmith helps detect & block malicious packages

Today, Cloudsmith integrates directly with the OSV data feed to automatically:

Enrich packages with vulnerability & malware context

Provide package insights, provenance, and trust signals

Nigel demonstrated Cloudsmith’s policy engine in action:

A malicious package was uploaded → OPA policy detected OSV’s MAL- identifier → the package was 

This happens before it reaches your developers or build systems.

Liana also shared what’s coming next:We're ingesting more provenance metadata, publish dates, download activity, maintainers, to help identify high-risk packages early. We're also exploring MCP and upstream trust features to prevent dependency confusion.”

 AI hallucinations are creating "phantom dependencies" that attackers are actively exploiting.

 It's no longer just about misspellings; it's about confusing the developer 

 You cannot manually vet every npm or PyPI package. You need policy engines that block bad artifacts at the door.

 By ensuring only trusted, verifiable artifacts reach your pipeline, you neutralize the risk of "vibe-coding" errors.

If you couldn’t join the live session, here are the highlights you missed:

Real demonstrations of malicious PyPI packages

Examples of AI hallucinating dangerous package names

Research on developer behavior and AI reliance

A walkthrough of Cloudsmith’s quarantine + policy engine

Q&A covering provenance, signatures, SLSA, and more

Slopsquatting and Typosquatting: How to Detect AI-Hallucinated Malicious Packages

In recent years, the software supply chain has become a prime target for attackers. From dependency vulnerabilities to third-party risks in DevOps, organizations face mounting challenges to keep their software secure and uncompromised. Traditional security models no longer hold up. Adversaries are exploiting every stage of the pipeline, from code through deployment.

This is why the role that DevOps teams play in security has become more significant than ever. Speed and agility are no longer the only concerns for DevOps; it is now resilience and trust with risk management. Organizations can keep ahead of threats by ensuring that security is incorporated in all stages of the development and delivery lifecycle, and minimize their exposure to software supply chain threats.

The guide gives a simple, high-level overview of how supply chain security in DevOps operates, challenges that organizations face, and what strategies organizations can adopt to reduce risks. This complete guide comes with a 101 explanation of how DevOps enhances security in your organization.

A software supply chain risk is any weakness, vulnerability, or exposure that gets into your system via the components, tools, and processes of building and delivering software. Since modern applications are dependent on countless third-party libraries, external services, and automated pipelines, organizations face the risks associated therewith.

The majority of applications rely on open-source libraries and frameworks. In case such dependencies have unpatched vulnerabilities, attackers would use them for access.

Vendors, contractors, and external integrations can accidentally place insecure code, improper configurations, or malicious programs into the environment.

Build and deployment pipelines are prime targets. Once attackers gain access, they can insert malicious code or modify software before it goes into production.

Packages, binaries, and containers available in repositories can be abused in case they are not secured and validated correctly. It can lead to the distribution of poisoned releases to the customers.

Attackers can intentionally introduce malicious code into dependencies or update streams to attack software integrity.

Risk may be deliberately or accidentally brought in by employees or contractors who have high access. They have the ability to bypass the controls or have sensitive information mismanaged.

Lack of visibility into licensing, provenance, and security standards elevates risk to legal and operational risks.

In the absence of vulnerabilities, real-time monitoring and suspicious activities can be identified only after they have been exploited.

Why DevOps plays a key role in supply chain security

The old model of software security, which implements verification at the end of software development, is no longer able to cope with the current threat environment. Modern software is developed and deployed in a continuous manner with the help of code contributed by multiple developers, open-source ecosystems, and cloud-native infrastructures. Such an interconnected environment needs a new model of security that keeps up with the same development pace. 

This is where DevOps comes in. By inserting security directly in the delivery pipeline and development, organizations can detect and remove threats prior to production. Security in DevOps supply chains guarantees trust and integrity throughout the lifecycle, including source code to deployment.

Here are the key reasons why DevOps is essential for securing the software supply chain:

The greatest myth about security is that it slows down development. As a matter of fact, DevOps enables an organization to integrate security into its current work processes, which helps teams develop quickly and remain secure. Automated vulnerability scanning, policy enforcement, and patching can ensure that faster releases do not produce new risks.

Manual security checks are subject to supervision. Using DevOps, organizations can make security controls, such as dependency scanning or artifact validation. This does not only minimizes errors but also offers continuous safeguarding against threats that arise in real-time.

DevOps focuses on transparency. Teams obtain end-to-end visibility of the entire pipeline, from the source of dependencies to the integrity of artifacts in repositories. This visibility helps detect suspicious changes early, supporting continuous security monitoring across the lifecycle.

Regulatory demands are becoming increasingly complex, and hence, compliance cannot be an afterthought. DevOps permits DevOps governance and compliance frameworks, in which licensing, data protection, and security standard checks are incorporated in the delivery pipeline. This minimizes the chances of penalties that follow non-compliance and promotes accountability.

Traditional models discover risks too late, often after deployment. DevOps makes sure that vulnerabilities (for example, dependency vulnerabilities and misconfigurations) are identified during development or build stages. This risk management approach of DevOps avoids expensive remedies and minimizes the exposure.

Now, security is no longer the responsibility of an individual team. DevOps is based on the principle of a shared responsibility model in which developers, security experts, and operations teams collaborate. This partnership will make sure that DevOps security best practices are implemented in all workflows.

 offers an opportunity to change the paradigm of reactive defence and move to proactive prevention by combining speed, automation, and governance. The outcome is a secure software delivery lifecycle that shields both organizations and customers against supply chain threats.

What role does artifact management play in software supply chain risk?

Artifact management is a core pillar of DevOps supply chain security because it ensures that every software component—packages, binaries, containers, dependencies, and metadata—is stored, tracked, and delivered securely. A secure 

Cloudsmith Blog

How Artifact Management Enables S2C2F Maturity

The 8 core principles of S2C2F

Cloudsmith 2025: By the Numbers

Secure containers by default with Cloudsmith and Docker Hardened Images

Eliminating ambiguity: The case for explicit Docker image paths

Understanding S2C2F: How it strengthens OSS security

How Artifact Management Enables S2C2F Maturity

The 8 core principles of S2C2F

Access Control & Permissions for Multi-Format Repositories

What is Software Supply Chain Integrity?

Extend EPM policies to Hugging Face artifacts

Slopsquatting and Typosquatting: How to Detect AI-Hallucinated Malicious Packages

The DevOps Guide to Mitigating Software Supply Chain Risks

Shai-Hulud: The Second Coming - What You Need to Know and Do Now

Kubernetes 1.35 – What you need to know