Understanding Trust in Software Toolchains

As an industry, we’ve poured billions into #ZeroTrust for users, devices, and networks. But when it comes to software - the thing powering every modern business, we’ve made one glaring exception: OPEN SOURCE SOFTWARE! Every day, enterprises ingest unvetted, unauthenticated code from strangers on the internet. No questions asked. No provenance checked. No validation enforced. We assume OSS is safe because everyone uses it. But last week’s #npm attacks should be a wake-up call. That’s not Zero Trust. That’s blind trust. If 80% of your codebase is open source, it’s time to extend Zero Trust to the software supply chain. That means: • Pin every dependency. • Delay adoption of brand-new versions. • Pull trusted versions of OSS libraries where available. #Google's Assured OSS offering is a good one for this. • Assess health and risk of malicious behavior before you approve a package. • Don’t just scan for CVEs—ask if the code is actually exploitable. Use tools that give you evidence and control, not just noise. I wrote more about this in the blog linked 👇 You can’t have a Zero Trust architecture while implicitly trusting 80% of your code. It's time to close the gap and mandate Zero Trust for OSS. #OSS #npmattacks #softwaresupplychainsecurity

Zero Trust Agile Zero Trust (ZT) is a security mindset that assumes no user, device, or system is to be trusted by default, even if inside the network. Instead of granting broad access based on location or credentials, ZT continuously verifies identity, context, and behavior before allowing access to systems, data, or code. ZT applies to Agile teams in two ways: in development (securing the people, processes, and tools used to build software) and in the product (protecting users and data). Agile teams move fast, but without strong security, they may expose sensitive data, development pipelines, or customers to cyber threats. Zero Trust in Development Agile teams work in distributed environments and use cloud-based tools. Traditional security models assume internal networks are safe. ZT doesn’t. Every access request, whether from a developer, an automation script, or a third-party integration, is verified. An unsecured pipeline can introduce vulnerabilities. ZT prevents unauthorized code changes by enforcing strict identity verification for developers pushing code, role-based access control (RBAC) to limit who can modify repositories, and cryptographic verification so only trusted artifacts reach production. Agile developers work across devices and locations. MFA and device posture checks verify that only trusted users and devices access development tools. Just-in-time access grants privileges temporarily. Data encryption protects code and credentials, even if a device is compromised. Agile teams use open-source libraries and third-party tools, which can introduce supply-chain risks. ZT mitigates them with automated dependency scanning, cryptographic verification, and continuous monitoring of integrations. Zero Trust in the Product Security doesn’t stop at development. The product itself must enforce ZT principles to protect customers, data, and integrations. A ZT product never assumes users are who they claim to be. It enforces strong authentication using MFA and passwordless login, continuous verification that checks behavior for anomalies, and granular role-based access so users only access what they need. APIs and microservices are attack vectors. ZT requires that even internal services authenticate and validate requests. API authentication and authorization use OAuth, JWT, and mutual TLS. Rate limiting and anomaly detection prevent abuse. Encryption of data in transit and at rest keeps intercepted data unreadable. ZT means each system, user, and process has the least privilege necessary. Session-based access controls dynamically revalidate permissions. End-to-end encryption secures data, even if intercepted. Data masking and tokenization protect sensitive information. Double Zero Agile teams can’t just build software fast, they have to build it securely. Embedding ZT in development means only the right people, processes, and tools can modify code. Embedding ZT in the product means the software itself protects users and data.

Ever run npm install or pip install without a second thought? You're trusting that the pre-built package you're downloading perfectly matches the public source code. But what if it doesn't? This is a critical trust gap in the open-source software supply chain. We see the pristine source code in the repository, but our applications use pre-built artifacts. A malicious actor can easily keep the source code clean while injecting a backdoor directly into the artifact that gets published. This is how sophisticated supply chain attacks, like the recent one with xz-utils, can happen. This is why I'm excited about Google's new project, 𝗢𝗦𝗦 𝗥𝗲𝗯𝘂𝗶𝗹𝗱 Think of it as an independent verification system for the open-source world. OSS Rebuild addresses this problem by:  • Taking the public source code for a package.  • Rebuilding the artifact in a secure, standardized environment.  • Semantically comparing its result with the artifact published in the registry. If they match, OSS Rebuild issues a verifiable attestation (SLSA Provenance), confirming the package's integrity. This process can detect hidden malicious code, compromised build environments, and other stealthy backdoors. What makes this so significant is that it strengthens trust in the ecosystem without placing an extra burden on the upstream maintainers. It retrofits security and transparency for thousands of existing packages on PyPI, npm, and Crates.io. This is a powerful step forward for securing our software supply chains. It empowers security teams and enterprises to verify their dependencies and gives developers more confidence in the tools they use every day. Kudos to the Google Open Source Security Team for this initiative! https://lnkd.in/e6hDKxNr #SoftwareSupplyChain #OpenSource #Security #Cybersecurity #DevSecOps #Google #SLSA

Trust Inversion Problem March 31, 2026 broke two kinds of trust in the npm registry on the same day. At 00:21 UTC, North Korean hackers published backdoored Axios versions via a compromised maintainer token. Cross-platform RAT. Self-deleting dropper. 15 seconds to C2. Hours later, Anthropic accidentally shipped 512,000 lines of Claude Code's proprietary source code via a source map file in the npm package. Two incidents. Same registry. Same trust model. Opposite directions. The Axios attack proved: one compromised token can weaponize a top-10 package in minutes. The latest tag ensures maximum distribution. No human review. No cooldown. The Claude Code leak proved: even the company marketing itself as the safety-first AI lab shipped unstripped source maps to a public registry. What connects them isn't npm. It's this: The entire modern software supply chain runs on "publish = trusted". No verification layer between a maintainer's credentials and millions of production environments. No mandatory review for packages above a download threshold. No separation between "uploaded" and "installable." I'm calling this the Trust Inversion Problem. In traditional security, trust is earned incrementally. In npm, trust is granted instantly and revoked reactively. The attacker's window isn't how long it takes to detectm it's how long it takes to unpublish. And by then, npm install has already done its job. What needs to change: → Mandatory release cooldowns for packages above a download threshold → Postinstall script sandboxing by default → Build pipeline verification (source maps, debug symbols, internal paths) → Cryptographic attestation between source repos and published packages → Treat AI dev tools with the same threat model as any third-party dependency, because they are one The developer ecosystem just learned that the packages you install today may not behave the way you assumed yesterday. Whether through malice or design. Brian Krebs Chuck Brooks Snyk Wiz OWASP AI Exchange #Cybersecurity #SupplyChain #NPM #DevSecOps #AISecurity #InfoSec #ThreatIntelligence #ZeroTrust #AgenticAI #SoftwareSecurity

Developer trust doesn't break at one point. It breaks in layers. Most DevTool teams treat trust as a landing page problem. It's not. It's a systems problem. There are 4 layers where trust is built or silently lost: 𝐋𝐚𝐲𝐞𝐫 1: 𝐃𝐢𝐬𝐜𝐨𝐯𝐞𝐫𝐚𝐛𝐢𝐥𝐢𝐭𝐲 𝐓𝐫𝐮𝐬𝐭  → Does your tool show up where devs actually look?  → Google, GitHub, Reddit, AI tools - if you're absent, you don't exist  → First impression happens before your site loads 𝐋𝐚𝐲𝐞𝐫 2: 𝐂𝐫𝐞𝐝𝐢𝐛𝐢𝐥𝐢𝐭𝐲 𝐓𝐫𝐮𝐬𝐭  → GitHub health, documentation depth, changelog honesty  → Devs pattern-match abandonment fast - one stale repo kills conversion  → Social proof only works if it's engineer-grade, not marketing-grade 𝐋𝐚𝐲𝐞𝐫 3: 𝐄𝐱𝐩𝐞𝐫𝐢𝐞𝐧𝐜𝐞 𝐓𝐫𝐮𝐬𝐭  → Time-to-first-value is a trust signal, not just a UX metric  → Friction before value = implicit signal that the product isn't confident in itself  → Every extra step before "aha" costs compounding trust 𝐋𝐚𝐲𝐞𝐫 4: 𝐂𝐨𝐦𝐦𝐮𝐧𝐢𝐭𝐲 𝐓𝐫𝐮𝐬𝐭   → What do devs say when your team isn't in the room?  → Reddit threads, Discord activity, HN comments this is the audit layer  → Community trust is the only trust that scales without your direct involvement Most DevTool growth strategies live at Layer 1. The ones that compound live at Layer 4. P.S. Which layer do you think most DevTools underinvest in and why? Genuine question, the answers vary more than you'd expect. Follow Shantanu Das ↗️ for more insights

Software engineering requires high trust. Like really trusting others with your life. When you code, you often use third-party libraries like NumPy for Python or Lodash for JavaScript. These libraries are maintained by others, so you need to trust their work. Using libraries like Express for Node.js or React for front-end development means you rely on their reliability and security. For instance, consider a popular library like Left-pad, which was widely used by many JavaScript projects. When it was suddenly unpublished in 2016, it broke thousands of projects globally, causing massive disruptions. Another example is the Heartbleed bug in the OpenSSL library. This security vulnerability exposed millions of systems to data breaches, showing how a flaw in a widely trusted library can have far-reaching consequences. Similarly, in 2020, a malicious update in the event-stream library affected many Node.js applications, illustrating how dependencies can introduce security risks. When TensorFlow updates, you read the release notes to understand changes and potential issues. If an update introduces a breaking change, like modifying how a function behaves, it can cause your machine learning model to malfunction. This happened when a TensorFlow update deprecated some functions, requiring developers to refactor their code. This trust extends to ensuring that libraries won't break your code. Always review code, check updates, and stay informed about the libraries you use. Automated tools like Dependabot can help track library updates and notify you of potential issues. Running tests regularly can catch problems early. For example, Facebook once faced issues when a React update broke backward compatibility, affecting many production systems. In production, even a minor library bug can lead to downtime. For instance, a glitch in a payment processing library could halt transactions, affecting revenue and user trust. Thus, it's crucial to have robust monitoring and rollback plans. Trust, but verify, and always be prepared for unexpected issues.

🔓 Most breaches don’t begin with a 𝐳𝐞𝐫𝐨-𝐝𝐚𝐲 𝐞𝐱𝐩𝐥𝐨𝐢𝐭 or a sophisticated phishing campaign.⁣ They often start with something far more mundane: 𝐭𝐫𝐮𝐬𝐭.⁣ ⁣ 👨💻 A developer, working under pressure to meet a deadline, reaches for a popular open-source library.⁣ It’s well-documented. Widely used. Actively maintained.⁣ The 𝐆𝐢𝐭𝐇𝐮𝐛 page is full of ⭐️. Everything looks reliable on the surface.⁣ ⁣ So the code is pulled in, committed, and pushed to production.⁣ No one questions it, because why would they?⁣ It’s open source. It’s trusted. It’s fast.⁣ ⁣ 🚨 𝐓𝐡𝐞𝐧 𝐭𝐡𝐞 𝐚𝐥𝐞𝐫𝐭𝐬 𝐬𝐭𝐚𝐫𝐭.⁣ ⁣ Unusual outbound traffic.⁣ A connection to an unknown domain.⁣ A backend service behaving in ways it shouldn’t.⁣ ⁣ By the time someone traces it back, the damage is done triggered by a dependency four layers deep in the software stack.⁣ ⁣ 📉 This isn’t theoretical. It’s happening more than we like to admit.⁣ And it’s not just an IT issue anymore, these risks bleed into OT environments, embedded systems, and critical infrastructure.⁣ ⁣ 🧾 We talk about SBOMs.⁣ 🏗 We talk about “secure by design.”⁣ But without real scrutiny and accountability, those are just buzzwords on a compliance checklist.⁣ ⁣ 🔁 Open-source isn’t the problem. "𝐁𝐥𝐢𝐧𝐝 𝐭𝐫𝐮𝐬𝐭 𝐢𝐬".⁣ ⁣ 💬 How are you addressing software supply chain risks in your organization?⁣ Let’s swap notes, before the next breach is just a 𝐧𝐩𝐦-𝐢𝐧𝐬𝐭𝐚𝐥𝐥 away.⁣ ⁣ #OpenSourceSecurity #SupplyChainRisk #DevSecOps #CyberResilienceAct #OTSecurity #SecureDevelopment #SoftwareSecurity

Yesterday, researchers found that litellm, a Python library with 95 million monthly downloads, was backdoored on PyPI. Two versions, 1.82.7 and 1.82.8, contained hidden code that harvested SSH keys, cloud credentials, Kubernetes secrets, crypto wallets, and .env files the moment the library was imported. This is the same threat actor, TeamPCP, that had already compromised dozens of npm packages, over the previous three weeks. As AI coding assistants become extremely popular and in many cases mandated to be adopted by product teams, a growing number of people are shipping code they don't fully read or understand. Cursor generates a requirements.txt. Copilot adds a dependency. An agent scaffolds the entire backend for you. It all works on your local environment, so you move on. The problem is that "it works" and "it's safe" are two completely different things. The litellm attack was surgical as the malicious code was 12 lines inserted between two unrelated legitimate code blocks in a single file. The only reliable way to catch it was comparing the distributed package against the upstream GitHub commit. Many people who build, with or without AI assistance, wouldn't check that. And the tooling for this kind of verification hasn't been part of the default workflow and cybersecurity has been an afterthought. This is the exact reason why we are changing that now at CRACI. Because the stakes are now changing too. When an AI agent installs dependencies on your behalf, runs code, or scaffolds infrastructure that touches production secrets, the surface area of trust is enormous. When you press "accept changes", you're trusting every package the agent chose, and every version of every package in your dependency tree. This is a really good reason and the best possible time for you to understand what you're shipping. The craft of building digital products has always required understanding what you're building, even when tools may do the heavy lifting. Stay curious about what's running in your systems. Your future self and your customers will thank you.

The biggest vulnerability is that the security team and devs haven’t spoken in three months, except through passive-aggressive Jira comments. And network literally blocked cyber on slack. I’ve watched security projects die slower deaths than a Windows Vista laptop. All because someone in cyber once said “no” without explaining why, and now the entire dev team treats security reviews like a trip to the DMV. We’ve somehow convinced ourselves that cybersecurity is a battle. Cyber vs Network. Cyber vs Devs. Cyber vs literally anyone trying to ship something before the heat death of the universe. We write policies like we’re handing down commandments from a mountain, then act shocked when people find creative ways around them. The team is not the enemy. They’re trying to build things, ship features, and not get fired. When security teams build actual relationships, magic happens. Developers start asking about security before deploying to production. Network teams volunteer information instead of hiding behind “it’s always DNS.” Projects that would’ve taken 18 months of bureaucratic warfare suddenly take 3 weeks. The secret weapon isn’t a new EDR solution or zero-trust architecture. It’s explaining why something matters, listening when someone says “that won’t work in our environment,” and occasionally admitting you don’t have all the answers. Trust doesn’t mean lowering standards. It means raising collaboration. It means security architects who understand that “just rewrite everything in Rust” isn’t helpful feedback. It means developers who don’t treat security reviews as personal attacks. Because here’s the thing about trust: it’s the only control that actually scales.

All software breaks. If you think “trust” in software means it never breaks, you’re setting yourself up for disappointment. Given enough time, edge cases, integrations, scale… something will fail. And when everything is working, nobody talks about “trust.” They just use the product. Trust shows up when something goes wrong. That’s when it actually matters. In my experience, customers aren’t really asking, “Will this platform be perfect forever?” They’re asking: When it’s 2am and something’s on fire… Are you going to answer? Are you going to own it? Are you going to stand beside us while we fix it? Trust doesn’t mean blind belief in flawless code. It’s confidence in the people behind it. It’s knowing you won’t be left alone when things get messy. And the teams that understand this design differently, support differently, and communicate differently. Because they know the real product isn’t just the software. It’s the relationship between you and your customers.