|
By Cristian Garcia
Over the past few years, Platform Engineering has taken off as more and more as enterprise organisations adopt the practice of creating a centralised, self-service interface for developers to access the tools they need in order for them to do the job they were meant to do: build amazing software. At the heart of every Golden Path lies the ability to reliably produce, store, and consume build artifacts, from container images to internal libraries.
|
By Nigel Douglas
Improper artifact integrity validation is a critical vulnerability in CI/CD pipelines characterised by insufficient mechanisms to cryptographically verify the authenticity and integrity of code and build artifacts traversing the pipeline. When these controls are weak or absent, adversaries with access to any pipeline stage can inject malicious or tampered artifacts that appear legitimate, enabling undetected propagation through the pipeline and eventual deployment into production environments.
|
By Nigel Douglas
The Cloudsmith 2025 Artifact Management Report offers timely insights into how engineering and DevOps teams are evolving their approach to software artifact management and software supply chain security. With supply chain attacks on the rise and Generative AI reshaping development practices, teams are reevaluating how they manage, secure, and scale their artifact repository infrastructure.
|
By Glenn Weinstein
The enterprise artifact management market - which has belonged for a while to JFrog and Sonatype - is now truly up for grabs. Cloudsmith was built on the core principle that cloud-native architecture matters. So does simplicity in design and workflow. Partnerships matter, too. We’ve built a comprehensive platform that controls and secures every artifact as it’s built, scanned, signed, stored, and shipped across the software supply chain.
|
By Nigel Douglas
The boundaries of what organizations build internally and what they adopt externally have blurred. Developers routinely integrate third-party services into critical CI/CD pipelines, often with minimal friction and limited oversight. This rapid plug-and-play convenience, while key to modern engineering velocity, is also quietly expanding the attack surface in ways many teams struggle to track - let alone govern.
|
By Ian Taylor
Large Language Models (LLMs) are now at the cutting edge of mainstream AI systems. Their impact has been seismic, sparking a new gold rush as application developers transform the user experience away from clicks and commands into natural language and advanced automation. However, application developers have a barrier to overcome. AI models need data to reason and respond to a particular application domain.
|
By Alison Sickelka
AI assistants will shape the future of the software supply chain, and today, we’re sharing a glimpse of a powerful idea in motion: Cloudsmith MCP, a proof of concept server that connects large language models (LLMs) like ChatGPT and Claude directly to your software supply chain using the emerging Model Context Protocol (MCP) standard.
|
By Ian Duffy
Previously, we showed you how to securely pull Docker images from Cloudsmith to Kubernetes using OIDC with a CronJob-based approach. We concluded the post discussing credential provider plugins from Kubernetes 1.20 and an enhancement in Kubernetes 1.33 that offers a new approach for external registries like Cloudsmith. We have now built a credential provider that takes advantage of this new capability. This article explores what this means for the future of pulling images from Cloudsmith on Kubernetes.
|
By Nigel Douglas
As Generative AI (GenAI) reshapes the software development landscape, the risks and complexities around managing what gets built, where it comes from, and how it’s secured are growing just as fast. The Cloudsmith 2025 Artifact Management Report dives into this shift, offering critical insights into how teams are adapting their infrastructure and software supply chain security practices in response to the AI-generated code.
|
By Nigel Douglas
Researchers at Trend Micro have uncovered a critical unauthenticated remote code execution (RCE) vulnerability affecting Langflow versions prior to 1.3.0. Langflow is a Python-based visual framework for building AI applications and boasts over 70,000 stars on GitHub and over 21,000 global weekly downloads from the public PyPI upstream. Source: Cloudsmith Navigator Versions released before 1.3.0 contain a serious flaw in the code validation logic, which allows arbitrary code execution.
|
By Cloudsmith
AI-generated code is now nearly universal. Enforcement is not. That gap is where your software supply chain is most exposed. Cloudsmith's CEO Glenn Weinstein, Co-Founder & CTO Lee Skillen, and VP of Product Alison Sickelka join Product Marketing Manager Meghan McGowan to unpack the 2026 State of Artifact Management report – a survey-based look at how AI development is reshaping the threat landscape, what organizations are getting wrong, and what the highest-leverage fix actually looks like.
|
By Cloudsmith
Cloudsmith raised $72 million in Series C funding, led by TCV and Insight Partners, to build the operating system for the modern software supply chain. AI agents are writing code faster than teams can secure it. That shifts the risk calculus because more software, built faster, means more attack surface. Artifact management is the control point between every software producer and consumer, and it's where Cloudsmith sits.
|
By Cloudsmith
100M+ weekly downloads. One compromised maintainer account. A remote access trojan in two active release branches. This is a 30-minute breakdown of the Axios npm supply chain attack – how it happened, why it was hard to detect, and what any engineering team can do right now to reduce exposure. Nigel Douglas, Head of Developer Relations at Cloudsmith, is joined by Jenn Gile, co-founder of Open Source Malware, a community-driven threat intelligence platform focused on malicious open source packages.
|
By Cloudsmith
What does it take to build a "Golden Path" that developers actually want to use? In this expert-led webinar, Cloudsmith and Octopus Deploy team up to explore the missing link in your software supply chain: turning artifact creation and management into an automated, trust-backed journey from source to ship.
|
By Cloudsmith
You’ve built a world-class platform – now how do you get it into the hands of your users without "download friction"? In this video, we look at how DataHub, the leading open source metadata platform, uses Cloudsmith as its cloud-native distribution engine to deliver high-performance software artifacts to a global audience with zero downtime and zero maintenance.
|
By Cloudsmith
Are you spending more time maintaining your artifact servers than building software? In this video, we explore how BHS Corrugated–a global leader in manufacturing technology with a presence in 20 countries–transformed their developer experience by moving from fragmented, self-hosted GitHub repositories to Cloudsmith: the world’s leading cloud-native artifact management platform.
|
By Cloudsmith
Is your artifact management slowing down your development velocity? In this video, we dive into how ConstructConnect migrated from JFrog Cloud to Cloudsmith–the world’s leading cloud-native artifact management platform–to eliminate hidden costs, simplify their CI/CD pipelines, and secure their software supply chain.
|
By Cloudsmith
Learn how to control, secure, and distribute software artifacts with this full on-demand platform demo of Cloudsmith. In this video, Solutions Engineers Dan and Ciara walk you through key features, including web app setup, logging, policy enforcement, signing, and global distribution. Through live demos, you'll see how to integrate Cloudsmith into your CI/CD pipeline, enforce security and compliance, control access with entitlement tokens, and automate everything using the API.
|
By Cloudsmith
Docker's VP of Product, Michael Donovan, discusses the importance of risk management and the security challenges introduced by the scale of 3rd party software dependency in development. See the full webinar: https:/cloudsmith.com/webinars Get to know Cloudsmith: About Cloudsmith We offer the world's best cloud-native artifact management platform to control, secure, and distribute everything that flows through your software supply chain. Cloudsmith operates at enterprise scale, reduces risk, and streamlines builds.
|
By Cloudsmith
Join Ian Duffy, Senior Site Reliability Engineer at Cloudsmith, as he discusses using credential providers in Kubernetes to securely pull images from private repositories. Credential providers are a great new feature that appeared in recent versions of Kubernetes. They allow you to pull images using a short-lived authentication token, which makes them less prone to leakage than long-lived credentials - bolstering security in the software supply chain.
- April 2026 (3)
- March 2026 (4)
- July 2025 (4)
- June 2025 (24)
- May 2025 (6)
- April 2025 (10)
- March 2025 (3)
- February 2025 (1)
- January 2025 (3)
- December 2024 (5)
- November 2024 (7)
- October 2024 (5)
- September 2024 (3)
- August 2024 (7)
- July 2024 (5)
- June 2024 (3)
- May 2024 (4)
- April 2024 (2)
- March 2024 (6)
- February 2024 (7)
- January 2024 (6)
- December 2023 (6)
- November 2023 (5)
- October 2023 (3)
- September 2023 (3)
- August 2023 (5)
- July 2023 (5)
- June 2023 (4)
- May 2023 (1)
- April 2023 (1)
- March 2023 (4)
- February 2023 (4)
- January 2023 (3)
- December 2022 (4)
- November 2022 (4)
- October 2022 (2)
- September 2022 (4)
- August 2022 (6)
- July 2022 (4)
- June 2022 (2)
- May 2022 (9)
- April 2022 (3)
- March 2022 (10)
- February 2022 (1)
- January 2022 (6)
- December 2021 (3)
- November 2021 (2)
- October 2021 (3)
- September 2021 (3)
- July 2021 (5)
- June 2021 (5)
- May 2021 (4)
- April 2021 (4)
- March 2021 (4)
- February 2021 (4)
- January 2021 (3)
- November 2020 (10)
- October 2020 (6)
- September 2020 (7)
- August 2020 (6)
- July 2020 (6)
- June 2020 (9)
- May 2020 (9)
- April 2020 (9)
- March 2020 (2)
- February 2020 (6)
- September 2019 (1)
- August 2019 (1)
- July 2019 (2)
- June 2019 (1)
- May 2019 (2)
- April 2019 (1)
- August 2018 (1)
- July 2018 (1)
- November 2017 (1)
Cloudsmith, your friendly neighbourhood Package Management startup, is a fully managed 24/7 Software-as-a-Service (SaaS) for securely storing and sharing assets, packages and containers. We have distributed millions of packages for innovative companies around the world and specifically help with: development, for internal build pipelines and dependencies; deployment, for delivery pipelines to servers; and distribution, for sharing software to entitled users worldwide.
Our main office is in Belfast, UK, but our approach to software development and the Cloud allows people to contribute from all over the world.
Built for Engineers, by Engineers:
- For Dev: Control the dependencies for your build/development pipelines. Share libraries privately with your teams, and develop your software securely.
- For Ops: Deploy the artefacts for your delivery pipelines. Promote through delivery stages, and ignore unstable upstreams that will break you.
- For Vendors: Distribute licensed software to customers, anywhere in the world. Define private access via entitlements, to ensure only entitled users get it.
The new standard in Package Management and Software Distribution.