Every software update is a trust decision. You are trusting that the developer’s build pipeline hasn’t been compromised. You are trusting that the package manager’s signing infrastructure is intact. You are trusting that nobody inserted four lines of code between the review and the release.
That is a lot of trust.
The Current Landscape
In the past 18 months:
- 3 major package registries experienced signing key compromises
- 11 widely-used libraries were found to contain dormant exfiltration code
- 1 incident involved a maintainer who technically never existed
The last item is the most concerning and the least discussed.
Practical Guidance
- Pin your dependencies. Not to versions — to hashes.
- Build from source when the stakes justify it. If you don’t know whether the stakes justify it, they do.
- Monitor outbound traffic from your build systems. If your CI pipeline is talking to a server in a country you don’t do business in, that is not a misconfiguration.
Transmission 002. Clearance: PUBLIC.