Cloudsmith

A great breakdown from Alastair Cooke and Guy Currier at The Futurum Group on what we unveiled at KubeCon EU - developers can now use live threat data and policy-as-code to automatically block risky dependencies before they make it into production👇

LinkedIn Live briefing tomorrow: The axios npm supply chain attack - what happened, and how to secure your software supply chain. This time, attackers compromised a maintainer account and injected a remote access trojan directly into active release branches of axios - a JavaScript package pulling 100M+ downloads every week. It follows closely behind incidents affecting Trivy and LiteLLM, where every dependency you didn't write becomes a door you left unlocked. Join us tomorrow at 4:30pm BST / 8:30am PDT for a 30-minute LIVE briefing with Nigel Douglas (Head of Developer Relations, Cloudsmith) and Jenn Gile (Co-founder, OpenSourceMalware). We’ll cover: 👉 How the axios attack worked (from credential compromise to RAT deployment) 👉 The techniques used to dodge early detection 👉 Practical steps you can take today, from dependency pinning to age-based policies and threat intelligence integration Learn more and register here: https://lnkd.in/eHeWaVUT

The software supply chain is under attack. It's an attractive target - modern software development is built on re-use of open source frameworks, libraries, and containers. Re-use of proven, hardened code is a good thing, saving toil and enhancing security. The hard part is securing the process around this re-use. Are you using the artifacts you think you are? Are they they best ones? Are your helping your developers avoid being victimized by bad actors taking advantage of weaknesses along the supply chain? This past week's incidents with Trivy, LiteLLM, and now axios remind us that it's critical to control and secure this supply chain. Developers should source dependencies from curated repositories that you control, rather than getting them straight off the shelf. The whole "artifact management platform" space was born about 20 years ago simply as a way to store and manage all the binary artifacts - aka "dependencies" - that are part of all modern-day apps. But things have changed - a lot. Tools like Cloudsmith put your binaries into repositories, but that's just the start. The real job is understanding what's in each artifact, making the good artifacts get served, and the bad ones get quarantined. Cloudsmith might have been a "nice to have" at one point, but today, it's essential. Here's what to do today to protect against future threats like the axios attack: https://lnkd.in/eZBfcN3E

LIVE BRIEFING: This week, axios - the JavaScript HTTP client with over 100 million weekly npm downloads - was compromised in a supply chain attack. A malicious actor used a compromised maintainer account to inject a remote access trojan into two active release branches. Join our Head of Developer Relations Nigel Douglas for a 30-minute live breakdown of the attack and practical steps any engineering team can take to reduce their exposure to this type of threat. We will cover: ➡️ How the attack worked – from credential compromise to RAT deployment  ➡️ The staging techniques that helped the payload avoid early detection  ➡️ Defenses you can put in place today, including dependency pinning, age-based package policies, and threat intelligence integration. Whether or not you use axios, the attack pattern applies to any team pulling packages from public registries.

Security teams right now... Scan everything, generate the SBOM, run the audit and produce the report. ...and then not automate a single thing from it. 75% of teams, apparently. We looked into why, more on that soon.

On March 24, 2026, Andrej Karpathy posted a warning that most developers in the AI space saw within hours: a simple pip install litellm exfiltrated SSH keys, cloud credentials, Kubernetes secrets, API keys, crypto wallets, and more from any machine that ran it. LiteLLM has close to 100 million downloads per month. The attackers worked their way up the supply chain: first compromising Trivy, then using that foothold to steal LiteLLM's PyPI publishing credentials. With those credentials, they uploaded two backdoored versions directly to PyPI. The malicious versions were live for roughly three hours before PyPI quarantined them. There were three points in this attack where Cloudsmith would have stopped it. Jason Myers breaks them down here: https://lnkd.in/eFGnceUd

And that's a wrap on KubeCon EU! 🇳🇱 From the Stop the AGI Apocalypse CTF to back-to-back lightning talks, packed booth conversations, fringe events, and a lot of swag, it’s been non-stop in the best way. Huge thank you to everyone who stopped by, familiar faces and new ones, and to our friends at Chainguard, Octopus Deploy, Cast AI, Kusari, Rootly, Aikido Security, and more for showing up alongside us. There's more where that came from. Keep an eye on our events page to see what’s next: https://lnkd.in/enBvtGuW

Spotted: DevRel duo in action with our very own Nigel Douglas and Octopus Deploy's Steve Fenton holding a talk at our booth earlier today. And it turns out Steve had even more to say about us - his 'Best of KubeCon EU 2026' round-up made us blush a little. Big love for the mention, Steve. 🙌 Read more here: https://lnkd.in/e-vvawu8

Booth talks by day, parties by night 🕺😎 It's been quite the 48 hours here at KubeCon with our Kick off Party and Unwind party - bringing together some of the most incredible people across the cloud-native community. Big shoutout to our friends Rootly for making it happen alongside us. If we got to shake your hand (or grab a drink with you) - it was genuinely great to meet you. And if we haven't crossed paths yet... we're not done. Find us at Booth 570, Hall 1. We've got more talks lined up through the day and swag to give out!