By submitting this form, you agree to our 

As Generative AI (GenAI) reshapes the software development landscape, the risks and complexities around managing what gets built, where it comes from, and how it’s secured are growing just as fast. The 

Cloudsmith 2025 Artifact Management Report

 dives into this shift, offering critical insights into how teams are adapting their infrastructure and software supply chain security practices in response to the AI-generated code.

42% of developers using AI report that at least half of their codebase is now generated by AI tools

. Where in 2024 this might have been considered a theoretical shift, in 2025 we need to accept that this is not a practical reality reshaping how software is written. AI isn't just a helper on the sidelines; it’s actively contributing to the core of modern applications and transforming the day-to-day workflow of developers. While the rapid rise of GenAI is often seen as a leap forward in productivity and innovation, it also introduces new security risks and software supply chain vulnerabilities that can’t be ignored.

Attackers Are Targeting the Software Supply Chain

Adversaries are increasingly shifting their focus from traditional infrastructure attacks to targeting the software supply chain itself. Rather than breaching networks directly, they’re infiltrating the ecosystem through techniques like 

 (the creation of malicious packages with names deliberately designed to mimic legitimate ones).

These deceptive packages are easy to overlook, especially in fast-paced development environments. Developers, often under tight deadlines and relying heavily on AI-assisted tooling to manage dependencies, may unknowingly pull in these malicious components without thorough vetting. The result is a stealthy but highly effective method for attackers to introduce vulnerabilities directly into production code.

AI and automation: a double-edged innovation

Survey respondents anticipate that GenAI-driven automation will bring both benefits and complications, which should accelerate development workflows while also straining infrastructure with unpredictable behaviors and dependency complexities. Tools like 

 promise greater speed and efficiency in coding, but they also raise new red flags for security teams. As automation becomes more deeply embedded in the development process, the potential for AI-generated code to introduce unknown risks or unstable dependencies grows, which challenges the long-held assumptions about trust and reliability in the software pipeline.

These concerns are further amplified by the widespread adoption of Large Language Model (LLM)-based technologies. While LLMs can significantly boost developer productivity, they also pose new threats (such as recommending non-existent or harmful packages). When asked whether AI would worsen open-source 

 risks like typosquatting or dependency confusion, nearly 

a third warning of a significant rise in exposure

These evolving development patterns are expanding an already vulnerable software supply chain. Without rigorous artifact validation and integrity checks, developers face growing risks - not just from external attackers, but also from the very tools designed to help software development teams move faster.

To address these emerging threats, modern artifact management solutions must embed intelligent access controls and offer end-to-end visibility into artifact provenance. With dynamic access control policies, organizations can ensure only authorized users and processes can interact with sensitive assets, reducing the likelihood of unauthorized changes or malware insertion. Coupled with robust policy-as-code frameworks, enterprises can establish and enforce security protocols that adapt as threats evolve, especially in environments where AI-generated code is becoming commonplace.

Where in the SDLC are AI-generated risks coming from?

While the speed and efficiency benefits of using AI in software development are clear, the oversight is not.

Only 67% of developers surveyed review AI-generated code before every deployment

, leaving large portions of production code potentially unvetted. This is quickly becoming a growing vulnerability in the software supply chain. This behaviour, driven by a desire to move faster, is dramatically expanding the attack surface. AI isn’t just introducing new code, it’s also introducing new risks, often at scale. Traditional concerns like artifact integrity, dependency management, and 

 (Software Bill of Materials) are being compounded by AI’s ability to rapidly consume and reuse unknown or untrusted code.

41% of respondents identified code generation as the riskiest point of AI influence

, yet practices around review and trust remain inconsistent:

66% said they only trust AI-generated code after manual review.

Just 20% fully trust AI output without extra scrutiny.

59% apply additional reviews to AI-generated packages, but only 16% treat them like any other package, without further checks.

The Need for Secure Artifact Management in the AI Era

This uneven approach is happening against a backdrop of expanding AI usage: alarmingly, 

86% of organizations have seen more AI-influenced dependencies in the last year, with 40% seeing a significant increase

29% of teams feel very confident in their ability to detect malicious code in open-source libraries

, which is the very ecosystem where AI tooling tends to source its suggestions. The threats, according to those surveyed, range from sensitive data leakage to the inclusion of compromised dependencies. These risks are amplified when developers blindly trust AI-generated code or package suggestions without security oversight.

These findings point to a critical inflection point. AI is becoming a core contributor to the software stack, but we haven’t fully adapted our trust models, tooling, or policies to match this new reality. Relying on developers to manually spot every risk (especially under time pressure) is not sustainable.

What’s needed is a secure checkpoint for AI-assisted development:

Automatically-enforced policies to catch unreviewed or untrusted AI-generated artifacts.

Artifact provenance tracking to distinguish between human-authored and AI-authored code.

Integration of trust signals directly into the development pipeline, so that reviews become automatic rather than an optional decision.

Download the 2025 Cloudsmith Artifact Management report

Explore the latest trends, insights, and best practices for securing your software supply chain and managing AI-generated code responsibly.

2025 Cloudsmith Artifact Management Report

From AI to Scalability: 2025 Trends in Artifact Management

Nigel Douglas

Head of Developer Relations

2025 Artifact Management Report

AI is now writing code at scale - but who’s checking it?

Researchers at Trend Micro have uncovered a critical unauthenticated remote code execution (RCE) vulnerability [

. Langflow is a Python-based visual framework for building AI applications and boasts over 70,000 stars on GitHub and over 21,000 global weekly downloads from the public PyPI upstream.

Versions released before 1.3.0 contain a serious flaw in the code validation logic, which allows arbitrary code execution. Unauthenticated attackers can exploit this vulnerability by sending specially crafted POST requests to the 

Malicious payloads were found embedded within argument defaults and decorators of Python function definitions. Because Langflow lacks proper input validation and sandboxing in its code evaluation process, these payloads are compiled and executed directly within the server’s context, which results in full remote code execution.

On May 5, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-3248 to its 

 (KEV) catalog, indicating confirmed exploitation in the wild.

How to Quarantine Affected Langflow Packages using Cloudsmith EPM

 (EPM) is an OPA-based engine which enables quarantining of high-risk packages before developers create a dependency on them, and before they reach production environments. The Gist below includes a generic 

. This policy will detect vulnerable versions of Langflow, which have a 

Langflow includes numerous dependencies (such as 

) which can significantly increase download times due to dependency resolution. For the purpose of this demo, we only need the raw package for scanning, so I used the -

 flag to avoid downloading unnecessary dependencies.

The package was pushed to Cloudsmith with a custom tag referencing 

. Note that it was synchronized and automatically quarantined based on the EPM policy we put in place.

In the Cloudsmith UI, you can see that the 

 (containing the known vulnerability) was successfully quarantined right after it synced. Alongside the automatically generated SBOM, the package also has an additional 

 tag applied by the EPM policy, indicating that it was quarantined due to a security policy violation.

By clicking into the identified vulnerability in the Cloudsmith UI, we can confirm that it correctly maps to CVE-2025-3248: a code injection flaw exploitable via the 

If you’re already using centralized artifact management, then you’ll already know that versions of Langchain prior to 1.3.0 are vulnerable and therefore should not be used. According to Trend Micro, the attackers in this scenario likely initiated the attack by first gathering a list of IP

 addresses and ports of publicly exposed Langflow servers, potentially using tools like 

 to detect publicly exposed Langflow servers by targeting typical indicators in configuration files, environment files, and code snippets. Langflow is typically launch

ed via FastAPI and Gradio, often bound to a public IP like 0.0.0.0 with a known port like 7860 or 8501.

This should return public Github configurations for Langflow or related servers listening on public interfaces and also Gradio apps being served publicly (which is fairly common in Langflow setups).

 to gain remote shell access to vulnerable systems. Once inside, they run various bash commands to gather system information and send the results to a command-and-control (C2) server.

Next, the attacker installs and runs the Flodrix Botnet on the compromised system. After connecting to the C2 server, the botnet can receive commands over TCP to launch distributed denial-of-service (DDoS) attacks. If the malware doesn’t receive the correct input, it deletes itself.

 endpoint, which is meant to validate Python code. This endpoint lacks proper authentication and executes user-submitted code using Python's 

, compile(), and exec() functions. Attackers can craft malicious code that gets executed on the server when submitted, allowing them to remotely execute code without needing to log in.

CVE-2025-3248 highlights the power of auditing and securing everything that comes from public upstreams. When you use 

, Cloudsmith fetches and caches open source packages (e.g. most dependencies), while you can also upload and use the packages you own to your artifact management repository. This is how customers use Cloudsmith as a first-class cache and a central source of truth for packages, to insulate their development teams from issues that would arise by downloading directly from public indexes like PyPI.

CVE-2025-3248: Serious vulnerability found in popular Python AI package

Insecure system configuration is a textbook example of how neglected settings can create an entry point for attackers targeting your CI/CD pipelines. It’s rarely the cutting-edge zero-day that causes a breach. More often, it’s the unpatched service, the overly permissive role, or the default password that was never changed.

While this risk overlaps with CI/CD credential hygiene (covered in 

 of our OWASP CI/CD series), the focus here is much broader. This blog post addresses the overall hardening of systems across your pipeline. Yes, weak or default credentials may be part of the problem, but they’re just one symptom of a larger issue in misconfigured systems that were never designed with security in mind.

Why Insecure System Configuration is a Top CI/CD Security Risk

At Cloudsmith, we think about this risk constantly. Configuration is the foundation of your security posture. And when you’re managing artifacts (arguably the most sensitive assets in your software supply chain) you need absolute confidence in the integrity and security of every system that touches them.

The problem with “Insecure by Default” in CI/CD Pipelines

Continuous Integration and Continuous Delivery (CI/CD) stacks are a composite of systems, some SaaS, others self-hosted, and often from different vendors and with distinct security models. Each layer (application, network, and infrastructure) contributes its own configuration surface area. Misconfigure any piece, and the entire chain inherits the weakness.

Examples of these common CI/CD misconfigurations:

Outdated Jenkins or GitLab runners with known vulnerabilities. For 

, in GitLab, managing a large fleet of runners at the group level can make it difficult to track which ones are out of date. Runners that aren’t upgraded regularly may miss critical security patches, leaving your pipeline infrastructure exposed.

Artifact repositories exposing ports or APIs publicly. For 

, you could query for Terraform or IaC exposing artifact repo via an open port. By running a modified version of the 

 query below, adversaries could find Terraform (

) or similar configs where artifact systems are binding to all interfaces or exposed ports:

 in any environment, not even in staging, and especially not when those credentials are publicly accessible. Staging environments should be secured to the same standards as production.

Pipeline agents being afforded full OS access with persistent credentials in memory. Reference the 

 for best practices around minimizing the time window where a secret is in memory and limiting access to its memory space.

Poor logging setups, leaving no audit trail when something does go wrong. We’ll talk about this in greater detail in 

, use an admin interface or automated job to exfiltrate secrets using encryption or 

 encoding. In this way, we should be logging every action within our CI/CD system.

Cloudsmith’s perspective on “Secure by Design”

As a fully managed, cloud-native artifact management platform, Cloudsmith is built around secure configuration by default. Here’s how our approach mitigates the types of risks outlined in 

Immutable infrastructure with managed updates:


Self-hosted repositories and build systems often lag on patching due to upgrade complexity. Cloudsmith removes that burden. As a SaaS platform, patches and security fixes are applied continuously behind the scenes. No action is required by customers, and no outdated binaries are exposed.



CI/CD misconfigurations often stem from over-broad permissions. In Cloudsmith:

 scopes and lifetimes with surgical precision.

 for users and teams to help ensure least privilege at the org, repo, and user level.

Artifact access is always protected by HTTP/S with authentication to prevent users from anonymously accessing public artifact repositories. Go a step further by enforcing 


Misconfigured systems often rely on insecure defaults. Cloudsmith’s default posture includes:

 and require authentication for access. Users can choose between entitlement token authentication or HTTP Basic Authentication for accessing these private repositories.

Cloudsmith doesn't have default username and password credentials for API access. Instead, 

 command or by accessing their user settings. For SAML SSO users, the 

, eliminating the need to retrieve API keys from the web application.

 and automated IP reputation filtering. Unless specified otherwise, all requests to the API are rate limited to prevent abuse, accidental or otherwise.

These defaults matter, especially when systems are being provisioned and connected to CI tools automatically.



Finally, you can’t secure what you can’t see. Cloudsmith's 

 track every action (upload, download, token use, deletion) with full audit trails and webhook integrations. This makes it significantly easier to trace incidents, validate configurations, and enforce compliance.

Whether you’re using Cloudsmith or managing your own stack, here are 

Secure Your CI/CD Pipelines With Cloudsmith

At Cloudsmith, we strongly believe artifact management is about 

. And secure configuration is where that trust begins.

If you’re looking to harden your pipeline end-to-end, don’t feel like the job is done after scanning your code. Scan your infrastructure. Review your configs. And if you’re managing your artifacts, consider doing it somewhere that’s 

If you found this content helpful and want to dive deeper into securing your CI/CD pipelines, beyond credential hygiene best practices, be sure to check out our free Cloudsmith eBook on the OWASP Top 10 for CI/CD security risks - 

OWASP CI/CD

OWASP CI/CD Part 7: Insecure System Configuration

 series, looks at some of the common risks associated with Insufficient Credential Hygiene. By better understanding the flaws that affect credential hygiene, we can better understand how even the most sophisticated pipelines were compromised.

CI/CD systems rely heavily on credentials (application secrets, tokens, deploy keys, and more) to operate. These 

 move between services, repositories, environments, and human actors, creating a complex web of access points.

they become prime targets for attackers. Once compromised, these secrets offer 

nities to adversaries with the intention of directly accessing your code, infrastructure, and data.

Secrets live in many places: code repositories, CI/CD configuration files, container images, build logs, and even in the runtime environment. They're used by humans, machines, and processes across different trust boundaries - each with their own associated requirements and risks.

Unlike a centralized authentication system, secrets management is often distributed, ad hoc, and invisible until breached.

Here are some of the most pervasive and dangerous practices seen in real-world CI/CD environments.:

 are a time bomb. Even if deleted from the latest branch, they remain visible in the commit history to anyone with access.


Overly-permissive credentials in pipelines


CI/CD pipelines often use credentials to access source code, artifact repositories, cloud resources, and production systems. Without 

 (which limits what actions credentials can perform and what resources they can access) and 

 (which grant access only under specific conditions like IP Address, time of day, or workload identity) these credentials can become open doors for unauthorized access.

Ask yourself:
- Does each pipeline only access the secrets it needs?
- Are secrets scoped to specific environments or job steps?
- Can unreviewed code access production secrets?

Where possible, organizations should enforce the 

Secrets embedded in container image layers

 (such as API tokens or SSH keys) can inadvertently remain in 

. Anyone with access to the image can retrieve them, even if they’re not meant to persist beyond the build.


 during a build, becomes a liability. Logs may be stored indefinitely, aggregated into third-party observability platforms, or exposed through dashboards.



Static credentials that never expire are dangerous - especially in environments with high personnel turnover or external contractors. Without regular rotation, credentials accumulate risk with every day they remain active. 

 is a production best-practice that ensures credentials are short-lived.

Real-world breaches caused by poor credential hygiene

 where secure environment variables (type of secrets) were exposed during builds triggered by pull requests to public repositories. Even though secrets were encrypted in storage, they were made accessible during build execution, potentially leaving them susceptible to compromise by anonymous users issuing pull requests against public repositories.

While the Travis CI team quickly patched the issue, it highlighted how even secure systems can leak secrets when trust boundaries are not well-defined. In this scenario, Travis CI has strongly recommended that both Public and Private Repository customers rotate their secrets on a regular basis

If possible, users affected in these scenarios should set expiration dates on those tokens or rotate their secrets regularly; this reduces the risk of old secrets being exploited.

Uber wasn't so fortunate. They experienced two major breaches tied to credential mismanagement. These breaches, detailed in the 

When credentials leak, attackers don’t break in - they log in.

In both breaches, no sophisticated exploitation was needed, just access to secrets that had been mishandled and left vulnerable.


In May 2014, attackers discovered an AWS access key that was accidentally committed to a public GitHub repository. The key granted full administrative access to Uber’s Amazon S3 datastore. As a result, the intruder accessed sensitive personal data of over 100,000 drivers, including:

Unencrypted names and driver’s license numbers

Uber didn’t detect the breach until September 2014 (four months later) and continued uncovering additional impacted users well into 2016.

The 2016 Breach: A private repo with public impact


In a second incident between October and November 2016, attackers gained access to Uber’s private GitHub repositories. This time, the intrusion was facilitated by a combination of weak security controls:

Credential reuse by engineers across personal and professional accounts

Lack of multi-factor authentication (MFA)

No policies to prevent leaked or reused passwords

Attackers used compromised credentials (previously exposed in unrelated breaches) to access Uber’s GitHub repositories, where they found yet another AWS access key. This key unlocked Uber’s S3 storage once again - leading to the theft of:

Most of this data was stored in unencrypted backup files collected prior to 2015.

Recommendations for sufficient credential hygiene in CI/CD

To mitigate these risks, organizations must adopt a proactive and layered approach to secrets management:

Continuous inventory where credentials are stored and used (across code, pipelines, and infrastructure).

Classify & Tag secrets by sensitivity and exposure risk.

2) Classify secrets by sensitivity and exposure risk

Scope each secret to the narrowest possible use case (per pipeline, environment, or job).

Avoid shared credentials across teams or systems.

Use short-lived, automatically rotated credentials (such as IAM roles, OIDC tokens, Kubernetes Secrets).

For static secrets, enforce periodic rotation and audit stale secrets.

Bind secret usage to specific IPs, services, or identities.

Block secrets from being used outside of intended pipelines or systems.

Use tools like Git hooks, IDE plugins, and secret scanners to catch leaks before they hit the repository.

Periodically scan historical commits for exposed secrets.

Configure pipeline tools to redact or prevent printing sensitive data.

Inspect container images, binaries, and Helm charts for embedded secrets before deployment.

Use dependency mapping to identify and visualize all software dependencies within your applications, such as a Docker image within a Helm chart that may contain sensitive credentials.

If you found this content helpful and want to dive deeper into securing your CI/CD pipelines, beyond credential hygiene best practices, be sure to check out our free Cloudsmith eBook on the OWASP Top 10 for CI/CD systems - 

OWASP CI/CD Part 6: Insufficient Credential Hygiene

This blog contains the takeaways from our webinar "State of the Union: Modern security approaches for the Software Supply Chain." Watch the full discussion 

. Key topics include how to secure your CI/CD pipeline and software artifacts using SBOMs, Docker Hardened Images, and artifact lifecycle best practices.

Software supply chain attacks are on the rise, prompting a critical shift in how we secure modern software. Recent incidents like SolarWinds, XZ Utils, and Log4Shell underscore the urgent need for stronger security measures beyond just protecting production systems. Attackers are now targeting earlier stages of the supply chain, particularly build pipelines, impacting software integrity before it even reaches deployment.

State of the Union: Modern security approaches for the Software Supply Chain

 we brought together industry experts to tackle these challenges head-on. Michael Donovan, VP of Product at Docker, Ralph McTeggart, Principal Engineer at Cloudsmith, and Jack Gibson, Senior Software Engineer at Cloudsmith, shared their insights on how leading teams can defend themselves. During the session, they explored the evolving threat landscape, outlined a secure artifact lifecycle, and discussed strategies such as SBOMs to inject visibility, provenance, and trust into workflows without creating developer friction. While the focus was on container images, the principles discussed were equally applicable to other formats.

Rethinking Software Supply Chain Security

Software supply chain attacks have grown dramatically in both frequency and impact, prompting a fundamental shift in how software is secured. Incidents like SolarWinds, the XZ Utils backdoor attempt, and Log4Shell illustrate a sobering truth: attackers are now aiming upstream. Rather than targeting production systems directly, modern threats exploit vulnerabilities during the software build and integration phases, where visibility and control are often weakest.

As this attack surface expands, it’s no longer enough to harden runtime environments or secure production endpoints. The entire artifact lifecycle - from development to deployment - must be secured. This shift has led organizations to reassess their tooling, processes, and practices around software composition, packaging, and distribution.

The Shift in Emphasis on Software Supply Chain Security

The strategic focus of software security has moved upstream. Major breaches have shown how attackers exploit weaknesses in CI/CD pipelines, source code repositories, and registry infrastructure, areas traditionally outside the purview of security teams.

Events like the SolarWinds compromise in 2020, which leveraged a poisoned build system, or the 2024 XZ Utils incident, where malicious code was inserted by a fake maintainer, underscore how early-stage compromises can lead to widespread downstream impacts. Similarly, Log4Shell revealed the global exposure caused by a single vulnerable dependency, forcing organizations to redirect substantial resources just to locate and patch affected systems.

In response, governments and regulatory bodies have escalated their focus on software supply chain security (SSCS). Executive directives, such as the U.S. Cybersecurity Executive Order, FedRAMP requirements, the EU’s NIS2 directive, and the forthcoming Cyber Resilience Act, demand secure development practices, transparent artifact composition, and provable software provenance.

As attacks increasingly originate at the source, securing the artifact lifecycle is now a foundational requirement - not a future goal.

Modern software development is built around composability and speed. Applications today rely heavily on third-party libraries and frameworks, with open-source components making up as much as 75% or more of a typical codebase. The prevalence of transitive dependencies - indirect libraries brought in through direct ones - adds complexity and opacity to risk assessment.

At the same time, the efficiency of CI/CD pipelines can leave little room for traditional gatekeeping. Code is integrated, tested, and deployed rapidly, often using packages pulled directly from public registries with minimal verification. Unsigned artifacts, missing provenance data, and outdated registry configurations persist across many organizations.

This environment creates ideal conditions for silent, hard-to-detect supply chain threats. In response, software teams must move toward practices that ensure transparency, verification, and control at every phase of the build and release cycle.

Using SBOMs and Establishing Provenance

A foundational step in securing the software supply chain is understanding exactly what is being built and shipped. This is where three elements play a critical role:

SBOMs (Software Bills of Materials): These list all components within a software artifact - names, versions, authors, licenses, and dependency relationships. Tools such as Syft and Trivy support SBOM generation in SPDX and CycloneDX formats. Docker supports SBOMs natively through the docker sbom command. Cloudsmith accepts external SBOM uploads or can auto-generate CycloneDX SBOMs for container images, exposing them via API for automation and policy enforcement.

Digital Signatures: A signature confirms that an artifact originated from a known and trusted source. Tools like Cosign allow developers to sign and verify containers. Signed images enable downstream consumers to confirm authenticity before deployment.

Provenance: Provenance data describes the origin of a build, including input sources, build parameters, and environments. Docker Buildx supports automated provenance generation using the --provenance flag, capturing crucial metadata such as build arguments and platforms.

Together, these elements create an auditable trail of software origin and composition. In regulatory contexts, SBOMs are now a standard requirement. But beyond compliance, they provide security teams with the ability to trace vulnerabilities to specific packages, drastically reducing remediation time and effort. Cloudsmith’s Enterprise Policy Management (EPM) leverages SBOM metadata for automated policy actions, such as quarantining risky images or enforcing license compliance based on live dependency data

Tightening Security with Docker Hardened Images

As organizations grapple with securing sprawling software pipelines, Docker Hardened Images (DHIs) offer a straightforward way to integrate trusted, verifiable container artifacts into modern workflows, without slowing down development.

Available on Docker Hub, DHIs are a curated set of container images designed to minimize vulnerabilities out of the box. They are built with a smaller attack surface, and include a full suite of embedded security metadata by default. This makes them ideal for teams looking to adopt zero-trust practices without adding complexity or friction.

VEX (Vulnerability Exploitability eXchange) metadata

Cloudsmith Blog

AI is now writing code at scale - but who’s checking it?

CVE-2025-3248: Serious vulnerability found in popular Python AI package

OWASP CI/CD Part 7: Insecure System Configuration

OWASP CI/CD Part 6: Insufficient Credential Hygiene

Docker Hardened Images & Cloudsmith: Modern Security for the Software Supply Chain

Secure Docker Image Pulls from Cloudsmith to Kubernetes using OIDC

OWASP CI/CD Part 5: Insufficient PBAC

Multiple Malicious Packages Discovered on PyPI, npm, and RubyGems

Open Container Initiative (OCI) Support in Cloudsmith

Responding to questions from our recent Helm security webinar

OWASP CI/CD Part 4: Poisoned Pipeline Execution (PPE)

Securing Containers at Scale: Docker Hardened Images + Cloudsmith