By submitting this form, you agree to our 

Explores AI-driven development, rising supply chain attacks, and new regulatory requirements.

2026 Artifact Management Report

On April 30, 2026, the Mini Shai-Hulud campaign moved beyond npm and into Packagist. Attackers replaced the contents of 

, Intercom's official PHP client, with over 20.7 million lifetime installs, with a credential-stealing payload that executed at install time, before any application code ever called the library. PHP teams, Laravel applications, and continuous integration (CI) pipelines that updated to that version may need to treat affected environments as compromised.

The attack exploited two properties of Packagist that most PHP developers have little reason to question.

Packagist versions are not immutable. The registry mirrors tags from upstream Git repositories, and those tags allow force-updates to point to a different commit. The attacker force-pushed a malicious commit behind the existing 

 tag, replacing a known-good release without changing its version number. Any developer or CI system that ran 

 after 20:53 UTC on April 30 received the compromised artifact, even with an explicit version pin.

 as a Composer plugin, subscribing it to the 

 hooks. Composer ran attacker-controlled code as a natural part of installation so it didn’t require an import. The plugin executed a shell script that downloaded Bun 1.3.13 from GitHub Releases and ran an 11.7 MB obfuscated JavaScript payload called 

 as a background daemon. A legitimate PHP SDK has no business doing any of that.

 harvests credentials broadly: GitHub CLI tokens, npm tokens, SSH private keys, cloud credentials across AWS, Azure, and Google Cloud Platform (GCP), Docker registry credentials, Kubernetes configuration, HashiCorp Vault tokens, and 

 files. It also queries cloud secret-management services directly, e.g., AWS Secrets Manager, Azure Key Vault, GCP Secret Manager, and Kubernetes Secrets.

The payload encrypts stolen data with AES-256-GCM before exfiltrating it to a hardcoded endpoint at 

. If that channel fails, it falls back to GitHub-based exfiltration using any GitHub credentials it has already harvested.

It also carries supply chain propagation logic. Stolen npm tokens let it republish modified packages with injected install-time scripts. It writes payload files into GitHub repositories using commit messages like 

, designed to disappear into normal developer workflows.

The Mini Shai-Hulud Packagist attack follows the same pattern as the 

: a trusted package, a payload injected silently at install time, and a detection window too narrow for teams pulling directly from public registries to rely on.

Cloudsmith sits between your teams and public registries, applying security controls before packages reach build environments or developer machines. Age-based (

) policies would have identified the compromised 

 artifact immediately on publication, blocking it from entering any build until it cleared a configured minimum age threshold. According to internal data, in 2025, 99% of malicious npm packages received official verification within 72 hours. A cooldown policy buys exactly that kind of margin.

Cloudsmith continuously ingests threat intelligence from OSV.dev and the OpenSSF Malicious Packages project. Continuous package enrichment matches cached packages to malicious identifiers. A positive match triggers security policies, which automatically take the prescribed action that users define, e.g., block, quarantine, tag, etc., without requiring manual triage. Routing all Composer requests through Cloudsmith as an upstream proxy also gives your team a full audit trail of which package versions entered your artifact store and when. These are the first questions you need to answer when scoping an incident like this.

If you want to understand how these controls apply to your current Packagist and Composer setup, 

Nigel Douglas

Head of Developer Relations

Jason Myers

Technical Content Marketer

Mini Shai-Hulud reaches Packagist: the intercom/intercom-php compromise explained

In the current landscape of software development, the primary threat to the supply chain isn’t necessarily a lack of information – it’s a lack of action. Our 

 reveals a growing "enforcement gap": the dangerous interval between identifying a vulnerability and successfully applying a security policy.

While organizations are getting better at generating security data, they are struggling to operationalize it. Visibility without automated enforcement is a front-row seat to disaster.

The manual audit trap: Visibility without velocity

 they are vulnerable, but they struggle to tell you 

 is affected. While our report shows that identification speeds are improving, legacy infrastructure and manual processes hamper teams’ ability to act on that information.

One of the first questions after discovering a malicious artifact may be: “Who downloaded this and where did it go?”

The answer for many teams is far from instantaneous. Our survey found that 

 find it difficult to identify exactly which users or systems have accessed a specific compromised artifact, often requiring manual deep-dives into logs and system data for answers.

This manual toil is more than an inconvenience; it is a security risk. In a world of automated, AI-driven attacks, relying on human-speed investigations is a losing strategy.

Fragmented scanning: The “CVE-only” blind spot

Another major challenge contributing to the enforcement gap is toolchain fragmentation. Many organizations treat different types of threats as separate problems, using separate tools that don't talk to each other.

Our data indicates that while CVE scanning is becoming standard, many organizations are still missing logic-based threats and malicious package injections. In fact, 

 have a fully automated process for verifying the chain of custody or cryptographic origin of their artifacts.

When your security stack is a patchwork of third-party scanners and manual spreadsheets, deny-by-default governance is impossible to maintain.

The 24-hour countdown: Why the CRA changes everything

The enforcement gap is no longer just a security concern, it’s becoming a legal liability. The 

 introduces strict reporting mandates for any company selling digital products in the EU. Reporting requirements for the CRA begin in September 2026.

The notification windows for CRA compliance are narrow, requiring an “early warning” within just 24 hours of discovering an active vulnerability. If your team relies on manual effort to quarantine and remediate threats, meeting these legal timelines becomes a statistical improbability. To remain compliant, organizations must move away from static, compliance-only SBOMs and toward real-time, automated gatekeeping.

Cloudsmith was built to eliminate the friction between identifying a threat and stopping it. By providing a unified, cloud-native control plane for all your artifacts, we help you transition from reactive remediation to proactive governance.

 Don't wait for a scan to finish to decide on a package. Cloudsmith lets you write policies that can automatically quarantine any new dependency at the point of ingestion, ensuring nothing reaches your developers until it clears your specific security hurdles.

 We consolidate CVE scanning, malicious package detection, and license compliance into a single source of truth. No more parsing server logs; you get granular audit trails that show exactly who, when, and where every artifact was accessed.

 Cloudsmith automates the verification of digital signatures and maintains a cryptographically secure chain of custody for every binary. This ensures that what you build is what you deploy.

The velocity of modern software development demands infrastructure that can scale security as fast as it scales code. By automating the enforcement of your security policies, you don't just close the gap; you build a more resilient foundation for everything your team creates.

Get all the data on software supply chain security.

This post highlights a few of the challenges facing modern DevOps and Security teams. Download the 

, which contains data and analysis on the state of software supply chain security.

Closing the enforcement gap: Why visibility isn’t enough for supply chain security

 have identified a new software supply chain attack on the 

”. A series of malicious packages are masquerading as a new AI coding agent called 

, the malicious package was reported minutes after being identified as containing a malicious payload on the 

 community did a great job in removing these suspicious packages from the registry so quickly, the 

 advisories weren’t able to classify these packages in time. But that’s okay, since they have successfully been removed and pose no threat right now.

OSM scanned the binaries, and the payload appears to be infostealers focused on cloud and AI credential harvesting across 

 storage. These payloads are adjusted for Windows and MacOS environments. A list of 

As always, if you’re a Cloudsmith user, you can apply age-based (

) policies to block newly published packages. In the case of the stardrop campaign, the malicious npm packages were all removed less than a day after the campaign began.

 is one of the most effective ways to stop this class of attack, giving security researchers (like our friends at OSM) time to identify the suspicious payload. In 2025, 

99% of malicious npm packages were identified and officially verified within 72 hours

, so implementing a simple cooldown policy significantly reduces this kind of attack vector.

Stardrop: New cross-industry npm campaign

Figuring out a scalable way to secure AI continues to be a significant challenge for businesses everywhere. According to our 

 use AI to accelerate their software development cycles. We are building faster than ever, yet the infrastructure supporting this speed was largely designed for a pre-AI world.

As AI agents dictate the pace of production, they are also expanding software attack surfaces. Security practices that worked at human speed are buckling. At Cloudsmith, we see this as a two-sided challenge: securing the code AI writes (the output) and securing the models AI uses (the input).

Here is how the landscape is shifting and how a cloud-native approach to artifact management can provide the control necessary to future-proof your development.

AI agents prioritize functional results over security provenance. When an AI suggests a block of code, it can pull in new dependencies. When you factor in transitive dependencies, the situation gets even more complex. Our survey data shows that 

 feel very confident in the security of AI-generated code.

The problem: Manual validation is scaling poorly

 manually validating the dependencies introduced by AI. This “operational tax” chips away at the speed gains promised by AI adoption. Furthermore, AI is prone to hallucinating packages, suggesting names that don't exist, which attackers then register in public repositories to facilitate “

The solution: Automated quarantine and policy guardrails

Cloudsmith addresses this by acting as a sophisticated gatekeeper between your AI agents and the public internet.

 Instead of developers or AI agents pulling directly from public registries, everything flows through Cloudsmith.

 You can define rules (using OPA/Rego) that govern what you allow into your environment and what to block.

 Create policies that automatically quarantine packages that meet specific criteria. When an AI agent calls for a new, unknown package, you can inspect quarantined packages before they reach your development environment.

While AI generates code at scale, the models themselves don’t get the same scrutiny that regular binaries receive. Companies frequently store AI models in ad-hoc silos like local drives or unmanaged cloud buckets, detached from the standard software development life cycle.

Our findings show significant fragmentation in how companies handle AI models. Only 

 unify their model management with their standard artifact workflows. Meanwhile, 

 only perform basic integrity checks (like checksums), leaving them vulnerable to model tampering or malicious weight injections.

The solution: Models as first-class artifacts

To future-proof your AI initiatives, you must treat models exactly like other artifacts, like container images or npm packages.

 By using tools like Cosign within Cloudsmith, you can 

 your models. This ensures that the model running in production hasn't been tampered with and originated from your trusted pipeline.

 Cloudsmith scans the metadata and layers of these artifacts, ensuring that your “inputs” are as secure as your “outputs.”

Future-proofing: Building for machine scale

 isn't a temporary trend; it’s a fundamental change in how we build software. Traditional artifact managers – often on-prem and slow to update – cannot provide the visibility required for this new development velocity.

Cloudsmith helps you move from a reactive “trust then verify” posture to an automated, proactive “verify then trust” one. By centralizing code, containers, and AI models in a single, cloud-native platform, you gain the visibility needed to comply with international compliance standards and frameworks, like the EU’s Cyber Resilience Act, while giving your developers the freedom to move at machine speed.

Security should be the foundation for AI. By implementing automated quarantine workflows and a unified registry for models, you can reclaim the hours lost to manual validation and protect your organization from the unique risks of the AI era.

This post only scratches the surface of the shifts we’re seeing in the industry. Download the complete 

 to explore the full demographic breakdown, competitive findings, and our deep dive into the state of software supply chain security.

The AI speed trap: Securing the future of software supply chains

The binary gap is the lack of visibility into the compiled code that actually runs in production. Most security happens at the source level, but the binary is where the actual risk lives. Binary Lifecycle Management bridges this gap.

What is the "binary gap"?

DevSecOps focuses on code and libraries. MLSecOps adds a layer of protection for AI model weights, training data, and the specialized protocols (like MCP) that agents use to operate.

How does MLSecOps differ from traditional DevSecOps?

It shouldn't. The key to agentic remediation is the test loop. The agent doesn't just apply a patch; it runs the entire test suite to ensure no breaking changes are introduced before submitting the PR.

Can agentic remediation break my code?

No. A private registry stores binaries. A tool (like Cloudsmith) provides the governance, curation, policy-as-code, and auditability layers that turn a registry into a security control.

Is a "software supply chain platform" just a private registry? 

Frequently asked questions (FAQs)

 has moved beyond the "visibility era" into the 

 a framework that treats AI agents as primary actors in the supply chain. Key 2026 pillars include 

 to collapse MTTR. To survive the current regulatory climate (CRA, CMMC 2.0), organizations must move from manual audits to a queryable 

1. What is software supply chain security?

Software supply chain security is the end-to-end protection of every artifact, pipeline, and actor, human or agent, involved in the creation and delivery of software.

In 2026, software supply chain security mandates a 

 to govern the integrity of open-source libraries, AI model weights, and Model Context Protocol (MCP) servers. The goal is to move from static snapshots to agentic governance, ensuring every production binary is backed by a queryable regulatory system of evidence.

Here is a reality check for every engineering leader: the most sophisticated supply chain attack of 2025 didn’t happen because a hacker guessed a password. It happened because a "clean" npm package used by thousands of enterprises was compromised through a sophisticated social engineering attack targeting a single maintainer. The malicious code sat dormant for six months before activating during a production build. By the time it was detected, the "poisoned" binary had already been distributed to millions of end-users.

 in 2026. We are no longer dealing with a theoretical risk or a simple compliance checkbox. The supply chain is now a living, breathing, and highly volatile ecosystem. It touches every line of code your developers write, every third-party dependency your CI/CD pipeline imports, and every AI model your agents query in production.

Five years ago, "securing the supply chain" was largely synonymous with 

, basically, checking a list of libraries against a database of known vulnerabilities. Today, that definition is narrow. In 2026, securing the software supply chain means establishing absolute control over:

 Curation of open-source libraries at the point of entry.

 of the environment where code becomes binaries.

Managing the lifecycle of JARs, Wheels, and Docker images from "cradle to grave".

 Protecting the weights, data, and provenance of LLMs.

 Governing the servers that allow AI agents to talk to your data.

2. The problem: Static SBOMs and the temporal decay trap

 (SBOM) was the poster child of the 2021 security boom. The idea was simple: create a list of ingredients for your software. By 2026, however, we’ve hit a hard ceiling on how much value that list provides if you don’t act on it.

Most SBOMs generated today are what we call compliance snapshots. They are produced at the end of a build, filed in a digital drawer, and never looked at again. That is a static SBOM process, and the problem isn’t the document itself; it’s the absence of any operational workflow around it. 

A clean library today might have a zero-day discovered tomorrow.

Transitive dependencies (the dependencies of your dependencies) shift without warning.

A static SBOM process is like printing a map of a city where the roads change every 24 hours.

The real shift in 2026 is moving from a static 

 to an operational one. An SBOM is, by nature, a document, a point-in-time record. What matters is whether that document is woven into a continuously updated, queryable system. Organizations that are surviving audits today aren’t necessarily generating better SBOMs; they are operationalizing them: correlating SBOM data against real-time vulnerability feeds, enriching records with contextual analysis, and using that intelligence to drive active policy decisions.

If your SBOM data can’t tell you, right now, which production services are exposed to a CVE discovered ten minutes ago, it isn’t a security control; it’s a paperweight.

Enterprise reliance on open-source software has never been higher. On average, a modern enterprise application is composed of 80% third-party code, and that figure keeps climbing. Rather than a breaking point, this represents a critical dependency that organizations have accepted as the cost of moving fast.

But that dependency now extends well beyond traditional libraries. Developers today are pulling in AI model weights from registries like Hugging Face and container images from unverified sources, often at the direction of AI coding assistants that prioritize speed over security. This creates a compounding risk chain:

Heavy OSS reliance is the baseline norm, not a temporary state.

OSS has inherent risks: abandoned maintainers, licence ambiguity, and a growing surface area for targeted compromise.

 pull in OSS packages rapidly and at scale, often without manual risk review.

This bypasses traditional governance, meaning attack vectors reach production faster than ever.

Tricking build systems into pulling a malicious public package instead of a private internal one.

Hijacking the credentials of a trusted maintainer to inject malware into a foundational library.

Introducing subtle backdoors into the training weights of open-source LLMs that only trigger under specific prompt conditions.

 a primary engineering concern. You can no longer afford to scan "after the fact". You must adopt a 

 model, blocking malicious, vulnerable, or license-incompatible packages at ingestion, not at production.

3. The transition: MLSecOps and the "binary gap"

AI changed everything: The rise of MLSecOps

The emergence of AI-assisted development fundamentally expands the attack surface. This is where 

MLSecOps is the practice of applying DevSecOps principles to the machine learning lifecycle. In 2026, an AI model is just another third-party dependency, but it’s one that traditional scanners can't read.

Many AI models are distributed in formats (such as pickle) that allow remote code execution upon loading.

 Who trained this model? Was the training data poisoned?

 Just as you have an SBOM for code, you now need an 

 for your models, documenting training data, architecture decisions, and safety benchmarks.

Binary lifecycle management: The missing layer

There is a massive gap in most security programs between the 

A binary artifact (a JAR, a Docker image, or a Python wheel) is a transformed version of the source code. During that transformation (compilation, linking, packaging), risk can be introduced. 

 is the practice of treating these artifacts as tracked, governed entities throughout their entire useful life.

In 2026, effective binary management requires:

 One secure repository where every approved binary lives.

 (Supply Chain Levels for Software Artifacts) to cryptographically sign every step of the build process.

 of 2026 security. It’s the ability to ask, "This

 library has a CVE, but is that specific vulnerable function actually reachable in my code?"

 Without contextual analysis, your security team is drowning in 500 "Critical" alerts, the majority of which are phantom risks.
This is where the distinction between CVE and EPSS becomes operationally critical. A Common Vulnerabilities and Exposures (CVE) is simply an identifier for a known vulnerability; it tells you a flaw exists. The Exploit Prediction Scoring System (EPSS) goes further, estimating the probability that a vulnerability will be actively exploited in the wild within the next 30 days. Prioritizing by EPSS score, combined with reachability analysis, is what separates teams that fix the right things from teams that chase every alert.

4. The future: Agentic governance and remediation

What agentic AI means for the supply chain

 will write, test, or deploy nearly half of all enterprise code

 These agents aren't just "tools"; they are actors. They make decisions. They pull packages. They trigger CI/CD.

 is the framework that ensures these agents follow the rules. It means:

Ensuring every action an agent takes is traceable to a specific model version and prompt.

Enforcing guardrails that prevent an agent from pulling an unvetted package just because it’s the fastest way to solve a coding task.

As board-level scrutiny of AI risk intensifies, agentic governance is the only way to prove to regulators that your AI isn't going rogue in the supply chain.

The "Detection-to-Fix" cycle in most companies is broken. It takes days to find a vulnerability, hours to triage it, and weeks to patch it. Agentic remediation collapses this cycle.

An agent detects a new CVE in a production binary.

If exploitable, the agent identifies the safe upgrade version.

The agent creates a branch, runs the tests, verifies no breaking changes, and submits a pull request.

A human developer reviews the agent’s activity logs, inspects the proposed patch, and validates the test results before approving the PR. The human remains the decision-maker; the agent handles the toil.

5. MCP governance: The dark horse of 2026

One of the most critical, yet overlooked, components of the 2026 supply chain is the 

 MCP is the emerging standard for how AI agents communicate with your data, tools, and internal APIs.

If you deploy MCP servers without a governance layer, you are essentially creating a backdoor into your organization’s data. 

 Cataloging every MCP server in your environment.

Logging every query an agent makes to an MCP server.

 Ensuring an agent can only access the specific context (data) it needs for its current task.

In 2026, an ungoverned MCP server is as dangerous as an unvetted npm package.

6. Building a regulatory system of evidence

". With laws like the EU Cyber Resilience Act 

 and the Cybersecurity Maturity Model Certification 

, the U.S. Department of Defense’s tiered framework that mandates verified cybersecurity practices for all contractors handling controlled unclassified information, and the full enforcement of these requirements, you can no longer satisfy an auditor with a spreadsheet.

. This is a queryable, immutable record of your supply chain data. It answers three questions:

 (The continuous scan + contextual analysis).

When an auditor asks, "Did you use a vulnerable version of Log4j in June?" you shouldn't be searching emails; you should be running a query against your 

7. Supply chain security best practices for 2026

Consolidate into a single source of truth: 

You cannot secure what you cannot see. Centralize all artifacts and packages, container images, AI models, and MCP definitions into a single, governed, private repository. This is the only way to enforce policy at scale.

Stop generating "paper SBOMs". Use a platform that continuously updates your inventory and enriches it with Vulnerability Exploitability eXchange (VEX) data.

. Focus your security team’s energy on 

 vulnerabilities, not just "high" scores. This single shift has been shown to dramatically reduce alert fatigue and reclaim meaningful developer time.

Don't let trash into your environment. Set up automated policies to block packages that are too young (less than 30 days old), have no maintainers, or use restrictive licenses.

Move beyond simple GPG keys. Use the SLSA framework to provide a verifiable "chain of custody" for every binary that reaches production.

Govern AI agents as first-class citizens: 

Assign every AI agent a non-human identity. Audit their "package pulls" and "MCP queries" just as you would audit a human developer’s access.

Stop the manual patching cycle. Use AI agents to handle the boring parts of security, identifying fixes, running tests, and opening PRs.

Teams and Access Controls

More articles

Mini Shai-Hulud reaches Packagist: the intercom/intercom-php compromise explained

Closing the enforcement gap: Why visibility isn’t enough for supply chain security

Stardrop: New cross-industry npm campaign

The AI speed trap: Securing the future of software supply chains

The 2026 guide to software supply chain security: From static SBOMs to agentic governance

Axios 1.4.1 and 0.30.4 NPM packages compromised