Operations | Monitoring | ITSM | DevOps | Cloud

Yet another supply chain attack has surfaced, this time using the xrpl library to sneak through malicious packages. xrpl.js is recognised as the recommended npm library for integrating the XRP Ledger (XRPL) with JavaScript/TypeScript applications, and has over 140k downloads a week.

As more teams rely on public repositories in their software supply chain, the dependency chain has become both a critical foundation and a potential blind spot. Dependency chain abuse is not new, but a growing list of attack vectors - like typosquatting, dependency confusion, and now slopsquatting - means security leaders need to respond quickly as attackers adopt new techniques.

Cloudsmith built Enterprise Policy Management (EPM) on Open Policy Agent (OPA) and uses Rego to define policies as code. These policies control how packages move through your systems. They're versioned, reviewable, and enforceable. EPM is in early release, but it already draws on extensive metadata Cloudsmith collects from your artifacts: format, version, tags, license, vulnerability, malware scan results, and digital signatures.

Enterprise Policy Management (EPM) is a programmable policy-as-code layer that controls the security, compliance, and flow of artifacts across the software supply chain. Teams can codify rules once and apply them continuously across repositories. With Cloudsmith’s platform, organizations extend policy enforcement across teams, environments, and geographies without introducing friction, including the open source packages that the chain depends on.

In the race to ship software faster, many teams have turned to automation, decentralised tools, and powerful pipelines. But lurking under the surface of these streamlined processes is a growing and often invisible Identity and Access Management (IAM) threat vector. — a core vulnerability in modern CI/CD security.

With the recent shake-up around CVE funding and broader questions about long-term support for cybersecurity infrastructure, one thing is clear: controlling what you can is more important than ever. This is abundantly clear in modern software development practices which rely heavily on CI/CD systems, which in turn serve as the primary conduit from a developer’s local environment to production.

CI/CD pipelines don’t wait. When traffic surges and your artifact platform can’t keep up, it’s not just a few slow requests: builds fail, deploys become backlogged, and engineers lose confidence. We’ve seen it all: 502s from overloaded VMs, minutes-long pulls, and pipelines grinding to a halt. That’s why we built Cloudsmith to scale by default; no one should have to firefight with their registry at 2 a.m.

We're excited to announce a major enhancement to our Maven repository support at Cloudsmith. As a Java developer, you can now upload and distribute arbitrary files using Maven repositories, unlocking more flexible and powerful workflows for your projects. Arbitrary files are files that are ignored by Maven unless explicitly included in the Project Object Model (POM) / pom.xml configuration.

April 2025 has brought some important news in the world of open source and software supply chain security: Fedora has announced a change proposal to make 99% of its package builds reproducible in its upcoming Fedora 43 release. At first glance, this might seem like a low-level Linux packaging detail. But in reality, this is part of a much bigger shift that touches anyone who builds, ships, or consumes software - including us at Cloudsmith and the developers and enterprises who rely on us.