Cloudsmith addresses weaponization of the software supply chain with advanced security capabilities

Cloudsmith, the leading cloud-native enterprise artifact management platform, today announced the expansion of its advanced security capabilities, positioning its unified data and enforcement plane as the critical defense against the evolving software supply chain threat landscape.

The software supply chain has never been more exposed

Software supply chain attacks have moved from opportunistic exploits to industrial-scale campaigns. In the last year, malicious package attacks, including sophisticated "slopsquatting" and malware injection, surged across registries like npm and PyPI. At the same time, the regulatory landscape has shifted. Mandates such as the Cyber Resilience Act (CRA) and DORA have moved supply chain security from a "best practice" to a legal requirement, forcing organizations to prove they can not only detect risk but actively prevent it. Meanwhile, AI and autonomous agents are accelerating the pace of development far beyond what security teams can manually track, widening the attack surface with every new dependency added. The trust that powers open source has become its most exploitable feature

CVEs and known exploited vulnerabilities are multiplying, and the consequences are already being felt. According to new Cloudsmith research, 44% of organizations have confirmed a security incident caused by a third-party dependency, with a further 39% reporting near misses.

For most organizations, knowing about a threat and being able to act on it are two very different things. Security tools have also evolved to surface risk - generating alerts, CVE backlogs, vulnerability scans and dashboards - but enforcement remains disconnected from the systems where software actually moves. Risks are identified downstream, after packages have already entered the build. By that point, the exposure has already occurred.

“Enterprises are drowning in CVEs, with a surplus of data but no centralized control plane to manage risk. The disconnect between threat intelligence and active enforcement is widening as actors weaponize open-source registries to bypass traditional defenses. Automating governance is no longer a 'nice to have'; it is the only way to build a defensible software supply chain in an AI-accelerated world.”

said Alison Sickelka, VP of Product at Cloudsmith.

Enforcement at the artifact layer

Cloudsmith provides a native control plane that moves security from reactive remediation to proactive protection. Instead of surfacing an undifferentiated stream of CVEs, Cloudsmith combines vulnerability, exploitability, and malware intelligence in a single enforcement layer.

Organizations can now use continuous, developer-aligned guardrails to prevent high-risk components from reaching the build in the first place, ensuring security is an inherent part of the supply chain.

Continuous package enrichment: Cloudsmith enriches packages with trusted threat intelligence, running hourly checks to automatically match newly disclosed vulnerabilities or malware against a customer's workspace. Packages are enriched with data from complementary sources - OSV.dev for broad vulnerability coverage, EPSS for exploitability scoring, and malware data via the OpenSSF malicious package project - giving security teams a complete and actionable picture of the risks.

Policy management: Built on Open Policy Agent (OPA), the policy engine enables teams to define precise, automated rules that are continuously evaluated, ensuring that only vetted and compliant packages reach developers or production systems. Cloudsmith has released capabilities that support granular, high-fidelity policies, including:

• Cool-down periods: Automatically quarantine dependencies published within a defined length of time to ensure they have been vetted by the global security community.
• Exploitability prioritization: Narrow focus to what matters by blocking only those vulnerabilities with a high EPSS score, indicating they are actually being exploited in the wild.
• Deep SBOM Inspection: Automatically evaluate the Software Bill of Materials to identify and block unsafe transitive dependencies or non-compliant licenses
• Malicious package detection: Detect and block malicious packages that were published on open source package repositories
• Improved developer experience with actionable 403 error messaging: When a package is restricted, developers receive custom instructions, directly in their CLI, providing clear steps for remediation or exception requests.

Rich Dammkoehler, VP Architecture & Governance at ConstructConnect, and a Cloudsmith Customer, said:

The most important capability for us is the ability to quarantine and block vulnerable artifacts. Ease of access to vulnerability information - and the ability to act on it - has been the biggest change for us. Our internal governance scores continue to improve, and Cloudsmith has been a major contributor to that. We’re a stone’s throw away from having zero high or critical vulnerabilities in our supply chain.

To learn more, please visit: https://cloudsmith.com/product/software-supply-chain-security

About Cloudsmith

Cloudsmith is a leading provider of cloud-native artifact management, trusted by global enterprises across industries to secure and optimize their software supply chains. The platform supports over 30 package formats, integrates with CI/CD pipelines, and offers full control and visibility over software assets.

Cloudsmith is the backbone of global software supply chains. Cloudsmith is committed to securing today’s supply chains and building an adaptive, resilient infrastructure for the future.

To learn more, visit: https://cloudsmith.com/