Learn how to safely ingest, verify, and manage LLM models from Hugging Face in this live webinar. See a real workflow for quarantining, approving, and promoting models into production without slowing developers down.

Nigel Douglas

Head of Developer Relations

Liana Ertz

Product Manager

Open model ecosystems like Hugging Face have transformed how teams build with AI. But with that speed comes risk: unverified publishers, mutable artifacts, dependency confusion, and models that change beneath your feet.

If you’re pulling models straight into production pipelines, you’re inheriting all the uncertainty of the public internet - into some of your most sensitive systems.

In this live session, Cloudsmith experts will show you how to take control of your AI supply chain. You’ll learn how to securely ingest, verify, and distribute LLM models from Hugging Face without slowing your teams down.

How to securely source your LLM models from Hugging Face

Sofware supply chain security

By submitting, you are subscribing to artiFACTS, Cloudsmith's monthly product newsletter. You can unsubscribe at any time.

Attackers are exploiting typos and AI-generated code to slip malicious packages into software ecosystems. Learn how typosquatting and slopsquatting attacks work, why AI is accelerating them, and the practical steps to detect, prevent, and secure your supply chain.

As software ecosystems expand, attackers are exploiting the smallest cracks - from a single typo to a reused name - to sneak in malicious packages. The rise of AI-generated code has amplified this problem. Automated code suggestions, dependency management, and code-completion tools can unintentionally introduce lookalike or compromised packages into projects. These lookalikes are easy to miss and can bypass traditional security checks, creating serious downstream risk.

This session combines real-world examples with practical advice on how to detect, respond to, and prevent squatting attacks in a world where AI-driven development is changing how code is written, shared, and reused. You’ll leave with a clearer understanding of how these threats operate, a simple framework for detection and response, and actionable steps to make your package ecosystem more resilient.

From naming hygiene to automation strategies, this session will help your teams stay one step ahead of the next squatting campaign, whether it is targeting human developers or being propagated by AI-generated code, and keep your software supply chain secure.

Typosquatting & Slopsquatting: Detecting and defending against malicious packages

Don’t let hidden threats slow you down. Discover how Cloudsmith & Kusari enable proactive security to prevent tampering, improve visibility, and speed deployments—reducing rework and strengthening your software supply chain.

Ben Cotton

Open Source Program Lead

Security checks are more critical than ever as attackers increasingly target software supply chains, from dependencies to CI/CD systems. But speed is just as important. Slowing down development isn’t an option, so organizations need security that enables rapid releases without adding friction.

The real competitive advantage comes from building security into your workflow so that speed and safety go hand in hand. Whether you’re under pressure to reduce risk, or enabling speed at scale, you’ll leave with actionable steps to make your pipeline not only secure but trustworthy - and spookily efficient.

In this joint webinar from Cloudsmith and Kusari, our experts will show you how to turn security from a bottleneck into a force multiplier.

More Trust, Less Boo! Haunt-Free Deployments with Cloudsmith & Kusari

Software Supply Chain Securely

Distribute Software Globally

The recent npm supply chain attack was a wake-up call: open source dependencies are a critical risk vector. If your organization isn’t actively securing the way you source, store, and distribute software artifacts, you’re exposed.

Cristian Garcia

Senior Customer Success Manager

Gwen Burchell

Engineering Manager

The recent npm supply chain attack was a wake-up call: open source dependencies are one of the most critical risk vectors facing modern software teams. High-profile incidents like the npm cryptocurrency attack and the S1ngularity/nx breach have made it clear that vulnerabilities don’t just come from the code you write, they often hide in the transitive dependencies your applications rely on.

If your organization isn’t actively securing how you source, store, and distribute software artifacts, you’re exposed. And while you can’t stop attackers from trying, you can prepare to minimize risk and disruption when the next breach inevitably happens.

In this webinar, we’ll explore what these attacks revealed about dependency risk, why practices like lockfiles and dependency pinning matter, and how to build resilience with approaches like Continuous Security and Verified Registries. You’ll also see how Cloudsmith helps teams automatically mitigate malware and vulnerabilities, so you can stay ahead of threats without slowing development.

Lessons from the npm Attack: How to Secure Dependencies with Artifact Management

Not every CVE is worth chasing. In this webinar, we’ll show how to combine CVSS severity with EPSS exploitability inside Open Policy Agent (OPA) to automatically quarantine the vulnerabilities that matter most. 

Vulnerability management isn’t about patching everything - it’s about patching what actually matters. CVSS gives you severity. EPSS gives you probability. Together, they let you prioritize risk in a way that reflects real-world exploitation, not just theoretical impact.</>

In this session, we’ll show how to integrate EPSS and CVSS into Open Policy Agent (OPA) to automatically quarantine packages that cross defined thresholds. Using Rego, you’ll learn how to encode risk-based policies that block high-severity, high-likelihood vulnerabilities before they hit production - without slowing down development workflows.

How to securely source your LLM models from Hugging Face

Things you'll learn

Speakers

Summary

Typosquatting & Slopsquatting: Detecting and defending against malicious packages

More Trust, Less Boo! Haunt-Free Deployments with Cloudsmith & Kusari

Lessons from the npm Attack: How to Secure Dependencies with Artifact Management

From CVE Scores to Action: Enforcing Artifact Management Policies in OPA