Cloudsmith warns most engineering teams remain unprepared for EU CRA compliance, as weak SBOM automation and AI-driven slopsquatting expand open-source dependency risk.
Open-source software supply chains are heading into the EU Cyber Resilience Act (CRA) deadline with a major compliance gap, as only one in four engineering teams automatically generates and verifies software bills of materials (SBOMs) at every build, according to Cloudsmith’s latest findings.
That leaves most organisations dependent on manual, reactive, or audit-only SBOM workflows, creating a serious governance weakness as the CRA will require actively exploited vulnerabilities to be reported within 24 hours, followed by a full assessment in 72 hours. Nearly three in four teams would struggle to produce a complete artifact audit during an unannounced compliance check, highlighting the scale of the open-source readiness issue.
The challenge is amplified by modern software’s growing dependency sprawl, where applications now carry 1,200+ open-source libraries, transitive components, and third-party packages. Without provenance tracing, teams cannot quickly identify affected versions or impacted production environments.
A sharper risk is emerging from AI-assisted development. With 93% of organisations now using AI tools, hallucinated package names are increasingly turning into a new attack vector known as “slopsquatting,” where malicious actors register fake open-source packages that coding assistants may unknowingly recommend.
Cloudsmith’s response pushes enforcement upstream through an Open Policy Agent (OPA)-based policy engine, blocking risky packages at ingestion using quarantine windows, EPSS-based exploit prioritisation, deep transitive SBOM inspection, and licence compliance checks.
As artifact standards expand from OCI containers to MCP-governed AI agent tooling and Hugging Face models, software supply chain governance is rapidly evolving into a broader AI-era open artifact security discipline.
