Cloudsmith Raises $72M for Software Supply-Chain Security

3rd Party Risk Management , Governance & Risk Management Cloudsmith Raises $72M for Software Supply-Chain Security Recent Package Compromises Pushed Software Component Trust to the Security Agenda Michael Novinson (MichaelNovinson) • April 23, 2026     Share Post Share Credit Eligible Get Permission Glenn Weinstein, CEO, Cloudsmith (Image: Cloudsmith) An artifact management platform led by Twilio's former chief customer officer raised $72 million to bolster software supply-chain security. See Also: Securing Microsoft 365: A Live Breakdown of Modern Attack Paths The TCV-led Series C financing will help Belfast, Northern Ireland-based Cloudsmith enforce policies, audit usage and reduce exposure to malicious or compromised packages, said CEO Glenn Weinstein. By acting as an intermediary between developers and public repositories, Cloudsmith transforms artifact management into a security layer without requiring developers to change how they work, he said. "Having a strong artifact management layer creates the byproduct of a secure software supply chain," Weinstein told ISMG. "That hasn't been our lead selling proposition in the past, but it sure is now because - in conjunction with artificial intelligence changing how we develop software - the software supply chain has been under unprecedented attack." Cloudsmith, founded in 2016, employs 148 people and has raised $126 million, having last completed a $23 million Series B funding round also led by TCV in May 2025. The company has been led since August 2023 by Weinstein, who spent nearly four years leading customer support, professional services, solutions engineering and developer network teams at Twilio. How Private Registries Help Companies Vet, Approve Packages Recent incidents involving compromised packages and stolen maintainer credentials exposed how vulnerable modern development pipelines are, Weinstein said, particularly as organizations rely heavily on third-party components. As a result, Weinstein said security leadership is now directly engaged in governing how software is built and what components are trusted. "We saw all sorts of creative ways to inject malicious code into the software supply chain," Weinstein said. "App dev or application security is not just something you leave to your DevOps teams or your platform engineering teams. It's a top of agenda item for CISOs and cybersecurity teams too. It's gone from, 'Yeah, we should probably do that,' to, 'That's absolutely mission critical.'" Private registries help companies vet and approve packages before developers can use them, which not only reduces risk but also introduces consistency and auditability across development environments. Instead of simply flagging vulnerabilities, Cloudsmith wants to provide developers and AI agents with insights into package popularity, maturity, known risks and suitability for specific use cases, he said. "There's nothing wrong with those public registries. They're great. They provide an incredible service to the community," Weinstein said. "But you do want to put a layer of policy and control in between your developers and those public registries." While both human developers and AI agents perform similar tasks, agents are far more compliant with enforced policies, which Weinstein said creates an opportunity to embed security controls more deeply into the development process without sacrificing speed. At the same time, agents require high-quality context to make good decisions, which increases the importance of enriched metadata, Weinstein said. "Agents will do what they're told," Weinstein said. "And if we tell an agent you must select a package from this curated repository, they listen to you. They will do what you say. Human developers may listen to you, may not listen to you." Why Cloudsmith Wants External Security Data for Its Platform By enriching its platform with data from external security tools such as vulnerability scanners and risk analysis platforms, Cloudsmith enables more nuanced policy decisions, Weinstein said. Instead of relying on simple rules, organizations can evaluate packages based on a combination of factors including exploitability, reachability and business context, he said. "Traditionally, artifact management platforms have done some degree of scanning of artifacts to say, 'This artifact has some vulnerabilities, and I'll tag it with a vulnerability,'" Weinstein said. "We can do so much better than that. We can synthesize any number of sources all integrated through the Cloudsmith control plane to come up with a really rich picture of each individual artifact." Cloudsmith is shifting toward a system that continuously monitors vulnerability disclosures and maps them against existing artifacts, which Weinstein said helps organizations understand their exposure in near real time and respond more quickly to emerging threats. It also reduces the need for repeated scanning, improving both efficiency and developer experience, Weinstein said. "The future is you don't scan anything," Weinstein said. "When new problems are discovered, they're roughly in real time, emerge through your systems and you know your blast radius." As software components grow in size and complexity, particularly with the rise of containers and machine learning models, managing the flow of artifacts becomes increasingly demanding. Advanced caching, pre-processing and infrastructure optimization ensure that builds remain fast and reliable, and Weinstein said Cloudsmith is working to make secure workflows as seamless as possible. "The software supply chain is just too critical for the security team to wave their hands and say, 'I hope they figure it out,'" Weinstein said. "They've got to work together to secure the software."