SecurityBrief Canada - Technology news for CISOs & cybersecurity decision-makers
Canada
Alison
#
DevOps
#
Cloud Security
#
Application Security

Cloudsmith adds controls to block risky dependencies

Tue, 24th Mar 2026
Author image
By Joseph Gabriel Lagonsin, News Editor

Cloudsmith has expanded its software supply chain security features with new controls for managing third-party dependencies.

The release is aimed at security and engineering teams that need to identify and stop vulnerable or malicious software packages before they enter development workflows or production systems.

The update comes as attacks on open-source software registries become more frequent and targeted. Cloudsmith's research found that 44% of organisations had confirmed a security incident caused by a third-party dependency, while another 39% reported near misses.

This highlights a broader problem for companies that rely heavily on open-source components in modern software development. Security teams often have visibility into vulnerabilities through scans and alerts, but they do not always have direct control over whether a package can be used in a build.

New controls

The latest release adds continuous monitoring of packages across an organisation's workspace for known vulnerabilities and malicious code. It also introduces automated rules that can hold newly published packages for vetting and block those linked to actively exploited vulnerabilities.

Software builds are now automatically scanned for risky dependencies deeper in the chain, including transitive dependencies that may not be immediately visible to developers. When a package is blocked, remediation instructions appear in the build tool through customised 403 error messages.

According to Cloudsmith, the package intelligence layer draws on several data sources, including OSV.dev for vulnerability coverage, EPSS for exploitability scoring, and data from the OpenSSF malicious package project.

The policy system is built on Open Policy Agent, allowing teams to define rules on which packages can be used. Those rules can be applied continuously so that only approved and compliant components move further through the software pipeline.

Threat pressure

The release reflects growing concern over software supply chain attacks, which have shifted from isolated incidents to sustained campaigns. In package ecosystems such as npm and PyPI, attackers have used methods including malware injection and slopsquatting, a tactic that exploits errors or assumptions in package selection.

Regulation has also increased pressure on companies to show they can manage software supply chain risk. Measures such as the Cyber Resilience Act and DORA have pushed the issue beyond internal policy and into compliance requirements for some organisations operating in Europe.

Cloudsmith argues that this makes enforcement more important than detection alone. If a risky package is flagged only after it has entered a build, the exposure has already occurred.

"Enterprises are drowning in CVEs, with a surplus of data but no centralized control plane to manage risk. The disconnect between threat intelligence and active enforcement is widening as actors weaponize open-source registries to bypass traditional defenses. Automating governance is no longer a 'nice to have'; it is the only way to build a defensible software supply chain in an AI-accelerated world," said Alison Sickelka, VP of Product at Cloudsmith.

Cloudsmith's approach centres on the artifact layer, where software packages are stored, managed, and distributed. By placing policy checks at that stage, it aims to stop unsafe dependencies before developers use them or before software is released further downstream.

One feature allows organisations to apply cool-down periods to newly published dependencies. This gives teams time to wait for broader scrutiny by the security community before allowing those packages into internal builds.

Another lets policies focus on vulnerabilities with high EPSS scores, which estimate the likelihood of exploitation. The aim is to narrow decision-making to issues most likely to be used in attacks, rather than blocking every known vulnerability regardless of context.

The system also inspects software bills of materials to identify unsafe transitive dependencies or licensing issues. This matters because many software risks sit several layers deep in the dependency tree and may not be obvious from top-level package choices.

Customer view

ConstructConnect, a Cloudsmith customer, said the practical value lies in the ability to quarantine and block vulnerable artifacts.

"The most important capability for us is the ability to quarantine and block vulnerable artifacts. Ease of access to vulnerability information, and the ability to act on it, has been the biggest change for us. Our internal governance scores continue to improve, and Cloudsmith has been a major contributor to that. We're a stone's throw away from having zero high or critical vulnerabilities in our supply chain," said Dammkoehler.

Alison Sickelka, VP of Product, Cloudsmith
Related stories
Cyber insurance now common among North American SMBs
CIQ launches Linux compliance platform ahead of deadlines
Emerson & OPSWAT strike global reseller deal for OT patching
IWF & Cyacomb launch workplace abuse material scans
Cork Cyber adds automated mapping to Vantage platform

Top stories

Team Cymru launches Total Insights Feeds for threat data
FIRST conference highlights AI & CVE disclosure push
Protegrity launches AI Team Edition for secure inferencing
OpenAI launches Trusted Access for Cyber with major names
Anthropic launches Claude Opus 4.7 with stronger coding