The software supply chain threat landscape - 2026 and beyond
AI is accelerating both sides of the supply chain problem. Developers ship faster using it. Attackers use it to find vulnerabilities, create malicious packages, and automate social engineering.
Paul Albury (Head of Customer Support) and Nigel Douglas (Head of Developer Relations) at Cloudsmith provide an overview of where supply chain risk sits in 2026: why the volume of incidents has grown beyond what any security team can handle manually, why the architectural response is a dependency firewall rather than better scanners, and how the EU Cyber Resilience Act is reshaping what enterprise buyers can now expect from their software vendors.
Areas covered:
- Why AI is a dual-sided supply chain risk: it expands the attack surface for developers and equips attackers with better tools at the same time
- Why artifact management policy engines exist – automated threats require automated responses, not larger security teams
- The difference between a vulnerability scanner and a dependency firewall, and why position in the supply chain is what matters
- What the CRA mandates for software vendors, and why it shifts trust from assumed to legally enforced
0:00 - AI and the supply chain: both sides of the problem
1:02 - Why manual security can't keep up
1:24 - Dependency firewall vs. vulnerability scanner
2:05 - How the Cyber Resilience Act changes vendor relationships
2:40 - What CRA compliance means for enterprise buyers
This video covers software supply chain security, AI-driven threats, dependency firewall, Cyber Resilience Act compliance, artifact management, and open source risk for CISOs, VPs of Engineering, and executive buyers evaluating supply chain security posture.
To see how Cloudsmith helps secure your software supply chain in the current risk landscape, book a demo: https://cloudsmith.com/book-a-demo
Subscribe for more on software supply chain security, AI risk, and DevSecOps.
#SoftwareSupplyChain #CyberResilienceAct #Cloudsmith #DevSecOps