Operations | Monitoring | ITSM | DevOps | Cloud

Over the past few years, Platform Engineering has taken off as more and more as enterprise organisations adopt the practice of creating a centralised, self-service interface for developers to access the tools they need in order for them to do the job they were meant to do: build amazing software. At the heart of every Golden Path lies the ability to reliably produce, store, and consume build artifacts, from container images to internal libraries.

Improper artifact integrity validation is a critical vulnerability in CI/CD pipelines characterised by insufficient mechanisms to cryptographically verify the authenticity and integrity of code and build artifacts traversing the pipeline. When these controls are weak or absent, adversaries with access to any pipeline stage can inject malicious or tampered artifacts that appear legitimate, enabling undetected propagation through the pipeline and eventual deployment into production environments.

The Cloudsmith 2025 Artifact Management Report offers timely insights into how engineering and DevOps teams are evolving their approach to software artifact management and software supply chain security. With supply chain attacks on the rise and Generative AI reshaping development practices, teams are reevaluating how they manage, secure, and scale their artifact repository infrastructure.

The enterprise artifact management market - which has belonged for a while to JFrog and Sonatype - is now truly up for grabs. Cloudsmith was built on the core principle that cloud-native architecture matters. So does simplicity in design and workflow. Partnerships matter, too. We’ve built a comprehensive platform that controls and secures every artifact as it’s built, scanned, signed, stored, and shipped across the software supply chain.

The boundaries of what organizations build internally and what they adopt externally have blurred. Developers routinely integrate third-party services into critical CI/CD pipelines, often with minimal friction and limited oversight. This rapid plug-and-play convenience, while key to modern engineering velocity, is also quietly expanding the attack surface in ways many teams struggle to track - let alone govern.

Large Language Models (LLMs) are now at the cutting edge of mainstream AI systems. Their impact has been seismic, sparking a new gold rush as application developers transform the user experience away from clicks and commands into natural language and advanced automation. However, application developers have a barrier to overcome. AI models need data to reason and respond to a particular application domain.

AI assistants will shape the future of the software supply chain, and today, we’re sharing a glimpse of a powerful idea in motion: Cloudsmith MCP, a proof of concept server that connects large language models (LLMs) like ChatGPT and Claude directly to your software supply chain using the emerging Model Context Protocol (MCP) standard.

Previously, we showed you how to securely pull Docker images from Cloudsmith to Kubernetes using OIDC with a CronJob-based approach. We concluded the post discussing credential provider plugins from Kubernetes 1.20 and an enhancement in Kubernetes 1.33 that offers a new approach for external registries like Cloudsmith. We have now built a credential provider that takes advantage of this new capability. This article explores what this means for the future of pulling images from Cloudsmith on Kubernetes.

As Generative AI (GenAI) reshapes the software development landscape, the risks and complexities around managing what gets built, where it comes from, and how it’s secured are growing just as fast. The Cloudsmith 2025 Artifact Management Report dives into this shift, offering critical insights into how teams are adapting their infrastructure and software supply chain security practices in response to the AI-generated code.

Researchers at Trend Micro have uncovered a critical unauthenticated remote code execution (RCE) vulnerability affecting Langflow versions prior to 1.3.0. Langflow is a Python-based visual framework for building AI applications and boasts over 70,000 stars on GitHub and over 21,000 global weekly downloads from the public PyPI upstream. Source: Cloudsmith Navigator Versions released before 1.3.0 contain a serious flaw in the code validation logic, which allows arbitrary code execution.