---
title: "Software supply chain security for Monzo"
description: "See how Cloudsmith helps engineering teams at FCA-regulated digital banks like Monzo govern open-source dependencies, enforce security policy across every format and pipeline, and meet the compliance standards that come with a full UK banking licence."
canonical_url: "https://cloudsmith.com/loves/monzo"
last_updated: "2026-06-08T11:12:46Z"
---
# Software supply chain security for Monzo

Supply chain security for Monzo's cloud-native teams

## The artifact layer is where software trust happens

Cloudsmith is the enforcement layer at the point packages enter Monzo's environment. Policy-as-code on ingestion, continuous re-evaluation as threat signals change

[See how Cloudsmith works](https://cloudsmith.com/product/software-supply-chain-security)

## Closing the enforcement gap

Monzo's pipeline security controls catch known vulnerabilities in code and dependencies. But those controls run after your build tooling has already resolved a package ; after it's in the environment. Cloudsmith operates upstream of that point, enforcing policy at the registry before a dependency reaches any pipeline or cluster.

| Your current position | With Cloudsmith |

| --- | --- |

| Open-source dependencies enter your 1,600+ microservices before your scanning tools see them. | Cloudsmith scans and blocks at the point of ingestion based on rules you set – before a package reaches your Kubernetes clusters or your pipelines. |

| Security policy is applied inconsistently across Go, Python, JavaScript, Rust, Kotlin, Docker, Helm, and Terraform. | One policy, defined centrally, applies across every format and every team – backend, mobile, data, and infrastructure. |

| AI-assisted development pulls dependencies into your supply chain before any governance control sees them. | Every AI-recommended package passes through the same policy controls as any other artifact entering your environment. |

## You've secured the perimeter. The supply chain is a different problem.

Modern software development runs on open source. Developers pull packages from public registries dozens of times a day, and AI coding tools accelerate that further – recommending dependencies, generating code that imports them, and compressing the time between "find a package" and "ship it to production". The problem is that every one of those packages enters your environment before your existing security controls see it. Pipeline scanners, code review, and application-layer controls are all downstream of the moment of ingestion. Cloudsmith operates upstream of all of them.

- Block malicious packages before they reach your microservices or your GCP infrastructure
- Protect against targeted attacks on Go, Python, and JavaScript ecosystems
- Enforce a single policy across every format your teams ship in
- Apply the same governance to AI-recommended dependencies as any other artifact

[Learn more about software supply chain security](/product/software-supply-chain-security)

Cooldown policies

## Packages your teams depend on, under active attack

Modern development moves fast. Packages are published continuously, and attackers exploit the window between publication and detection. Cloudsmith's cooldown policies hold newly published package versions in quarantine for a configurable period before they can reach any build system – structurally eliminating an entire class of attack that pipeline scanning cannot stop.

### Axios – 100 million weekly downloads, March 2026

A North Korean state actor compromised the Axios npm account and published two malicious versions carrying a phantom dependency created less than 24 hours earlier. The malicious versions were live for roughly 3 hours – enough to compromise any pipeline running a fresh install. A cooldown policy would have blocked the phantom dependency at ingestion before it reached a single build.

[Read the Axios attack breakdown](https://cloudsmith.com/blog/axios-npm-attack-response)

### Shai-Hulud / Mini Shai-Hulud – self-replicating npm worm, 2025–2026

An ongoing self-replicating npm worm steals maintainer credentials and publishes malicious versions of every package that maintainer controls – with valid provenance attestations, meaning integrity checks pass. Teams with cooldown policies active were not exposed. Teams relying on pipeline scanning alone were.

[Read the Shai-Hulud attack breakdown](https://cloudsmith.com/blog/tanstack-npm-packages-compromised-in-mini-shai-hulud-attack)

Why Monzo's engineering organisation needs Cloudsmith

## Every ecosystem is a separate attack surface. Manage them all with one policy.

A polyglot microservices architecture at Monzo's scale, under full banking regulation, creates a supply chain governance problem that generic DevOps tooling wasn't designed for. Each language ecosystem is a separate attack surface. Each one needs consistent policy. And every artifact that passes through your environment needs to be traceable for compliance. Cloudsmith was built for exactly this combination.

### Polyglot at scale

Go dominates your backend, but your full estate spans a dozen languages and runtimes. Each one is a separate attack surface, with its own upstream registries and its own risk profile. Cloudsmith governs all of them from one platform – one policy, applied consistently, regardless of format.

### Full banking regulation

Supply chain provenance, SBOM generation, and audit trails are no longer optional – they belong in your SDLC. Cloudsmith builds that evidence chain into every pipeline automatically, so it's ready for regulatory review without a separate compliance exercise.

### Multi-cloud, Kubernetes-native

Cloudsmith integrates natively with your AWS and GCP environments, your Kubernetes workflows, and your existing container and Helm pipelines. Consistent policy across both platforms, with no additional DR configuration required.

## 30+ formats. One policy. Zero exceptions.

Go, Python, JavaScript, TypeScript, Rust, Kotlin, Java, Scala, Erlang, Swift, Objective-C, Docker, Kubernetes, Terraform. Each ecosystem is its own attack surface with its own registries and its own risk profile. Cloudsmith gives you a single governed layer across all of them – one policy, one audit log, one source of truth.

### Go modules and Python packages

Cloudsmith proxies Go module downloads and PyPI consumption through a governed layer – scanning for malware and CVEs before any package reaches your build system.

### npm, Docker, and Helm

JavaScript and TypeScript dependencies, container base images, and Helm charts all governed under the same policy. One set of rules across your frontend, backend, and Kubernetes infrastructure.

### JVM and mobile ecosystems

Maven and Gradle for your Kotlin and Java services, CocoaPods and Swift Package Manager for iOS – all covered. Cloudsmith supports 30+ package formats with native tooling support.

### Terraform providers and modules

Infrastructure-as-code is part of your supply chain too. Cloudsmith governs Terraform module consumption alongside your application dependencies – consistent policy from code to cloud.

## Regulation is tightening. Supply chain controls need to keep pace.

The regulatory environment is tightening - new requirements arrive regularly and compliance infrastructure has to scale alongside the business. That obligation extends into the SDLC. Supply chain provenance, software composition visibility, and policy enforcement are increasingly part of what regulators expect. Cloudsmith gives your compliance and governance teams what they need: SBOM generation, policy enforcement with audit trails, and full package provenance tracking – built into your pipelines from day one.

- Automated SBOM generation for every artifact in your supply chain
- Vulnerability policy enforcement with full audit trails for FCA and PRA oversight
- Package signing and provenance tracking across all 30+ supported formats
- Evidence chain ready for compliance review – no separate tooling required

[Read more](/customers/cloudsmith-and-pagerduty)

## Customers love Cloudsmith

[Read reviews](https://www.g2.com/products/cloudsmith/reviews)

## Ready to see Cloudsmith in action?

Talk to our team about closing the supply chain governance gap across Monzo's polyglot engineering estate – from Go and Python to Docker, Kubernetes, and Terraform.

[Talk to the team](/company/contact-sales)
