Stop dependency confusion before it starts - define trusted sources, ship faster with policy templates, and secure your supply chain directly in VS Code. ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­    ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­  
View in browser
ArtiFacts Newsletter Header

artiFACTS is your monthly roundup of new Cloudsmith product releases, industry news, and helpful resources.

NEW

Stop dependency confusion by defining trusted sources

Upstream Trust

Dependency confusion is one of the most persistent software supply chain risks - where malicious actors exploit package name resolution to trick systems into pulling untrusted code. 

 

To help you achieve a more resilient posture, you can now set a trust status for your upstreams. This capability focuses on a critical link in your chain: preventing attackers from hijacking your internal package names in public repositories. By defining explicit trust boundaries, you ensure that once an artifact is identified as internal, it cannot be replaced by an untrusted externally-sourced version.

 

This feature is in Early Access for Ultra and Enterprise customers, with current support for Python, Maven, and NPM.

 

Learn more

PRODUCT UPDATES 

 

What's new in Cloudsmith?

Policy templates for faster, safer rollouts

⚡ Policy templates for faster, safer rollouts

We've added a library of pre-configured Rego policy templates covering vulnerability management, licensing compliance, and supply chain allowlists/blocklists - so you can deploy security guardrails on day one, no coding required. Currently in Early Access.

New CLI vulnerability command

🆕 New CLI vulnerability command

A new vulnerabilities command brings package security scan results directly to the terminal - no more chaining multiple API calls. Get a severity summary by default, a full per-dependency breakdown with --show-assessment, and JSON output for CI/CD integration. Available in Cloudsmith CLI version 1.14.0 (or later).

 

VS Code extension v2.0.0

🔒 VS Code extension v2.0.0

The Cloudsmith VS Code Extension is now a full supply chain security platform inside your IDE - with inline dependency health scanning, a Find Safe Version remediation command, upstream trust inspection, Terraform export, and one-click package promotion.

 

Proxy and cache Alpine and Wolfi packages from upstream repositories

👆 Proxy and cache Alpine and Wolfi packages from upstream repositories

You can now proxy and cache Alpine and Wolfi packages from their public mirrors, blending local and upstream content into a single APKINDEX.tar.gz signed with your repository's RSA key. Wolfi packages are cached permanently, keeping builds reproducible even after packages disappear from the public upstream.
INDUSTRY ROUND UP 

 

Resources we think you'll love

Resources we think you'll love banner

🎥 Webinar | AI Acceleration and Supply Chain Security: 2026 Artifact Management Trends 93% of organizations use AI-generated code. Only 17% have automated guardrails. Join us to explore the governance gap - and how a unified control plane closes it.


📊 Report | The 2026 Artifact Management Report 79% of teams can spot a vulnerable dependency within six hours of disclosure. Only 25% act on it automatically. With the EU Cyber Resilience Act entering enforcement in September, the gap between visibility and action has never mattered more.


🔴 Blog | Axios NPM attack: What happened and how to prevent it On 31 March, axios - 100M+ weekly downloads - was hit by a DPRK-linked supply chain attack via a compromised maintainer account. A cooldown policy in Cloudsmith would have blocked it automatically, before malicious behavior was ever publicly reported. 


🔐 Blog | Why Dependabot needs an upstream gatekeeper Dependabot controls when an update is suggested. Cloudsmith controls what your build systems can reach. Together, they cover far more of your supply chain than either does alone.


☸️ Blog | Kubernetes v1.36: What you need to know The latest Kubernetes release is here. Get up to speed on what matters for your platform engineering and DevOps teams.


⚠️ Blog | How Cloudsmith protects against the LiteLLM attack TeamPCP compromised LiteLLM's PyPI credentials and published two backdoored versions that exfiltrated SSH keys, cloud credentials, and Kubernetes secrets - all within a three-hour window. Here's how a governed supply chain stops this class of attack.

Cloudsmith, 7 Donegall Square West, Belfast, Northern Ireland BT1 6JH

Unsubscribe Manage preferences

LinkedIn
X
Instagram
Website