Cloudsmith now detects malicious packages using data from OSV.dev and the OpenSSF Malicious Packages project so you can see, stop, and govern open source packages designed to attack your supply chain before they reach your builds or customers.
Malware scanning looks inside a package for known signatures, whereas malicious package detection focuses on packages that are harmful by design — for example, those created to mimic legitimate dependencies or trigger unsafe install behaviors. Together, these capabilities provide broader defense in depth across your repositories.
Here’s how malicious package detection works in Cloudsmith:
This capability is in Early Access, available to Ultra and Enterprise customers. Please contact us to get access today.
📘 Learn more in the docs >> Malicious Packages
You can now use Cloudsmith’s package search syntax to refine the scope of your repository's retention rules when configuring them via the Cloudsmith web application and via the Cloudsmith Terraform provider. This functionality builds on the existing support to scope retention rules by package search syntax via the API, and makes it easier to target exactly which packages to keep or remove…
Today we are releasing a refreshed and re-architected documentation website for Cloudsmith…
We've reduced the delay between a download event and its appearance in Client Logs, giving you faster visibility into your package delivery pipeline. This makes it easier to analyze trends, troubleshoot issues, and keep your workflows moving…
As part of upcoming improvements to our logging pipeline, we’ve made adjustments to our underlying data processing. These changes include the path and uri fields in the web application and the uri field in Client Logs exports…
Identify and prioritize new vulnerabilities in your existing artifacts with Cloudsmith’s Continuous Security. Continuous Security runs hourly checks against trusted vulnerability data sources, enabling faster detection and response to newly disclosed threats without the need for manual re-scans…
Packages added to Cloudsmith are scanned for vulnerabilities and malware, and passed through our policy engine. When we identify vulnerable packages, we produce and collate a range of descriptive data to help explain those vulnerabilities. Previously, that data was only available in our legacy web app, and more recently via our API. We've now broug…
