ecosystem-security on The Trail of Bits Blog

Catching malicious package releases using a transparency log

Fri, 12 Dec 2025 07:00:00 -0500

We’re getting Sigstore’s rekor-monitor ready for production use, making it easier for developers to detect tampering and unauthorized uses of their identities in the Rekor transparency log.

Supply chain attacks are exploiting our assumptions

Wed, 24 Sep 2025 07:00:00 -0400

Supply chain attacks exploit fundamental trust assumptions in modern software development, from typosquatting to compromised build pipelines, while new defensive tools are emerging to make these trust relationships explicit and verifiable.

Making PyPI's test suite 81% faster

Thu, 01 May 2025 09:00:00 -0400

See how we slashed PyPI’s test suite runtime from 163 to 30 seconds.
The techniques we share can help you dramatically improve your own project’s
testing performance without sacrificing coverage.

Attestations: A new generation of signatures on PyPI

Thu, 14 Nov 2024 09:00:15 -0500

For the past year, we’ve worked with the Python Package Index (PyPI) on a new security feature for the Python ecosystem: index-hosted digital attestations, as specified in PEP 740. These attestations improve on traditional PGP signatures (which have been disabled on PyPI) by providing key usability, index verifiability, cryptographic strength, and provenance properties that bring […]

Enhancing trust for SGX enclaves

Fri, 26 Jan 2024 09:00:31 -0500

Creating reproducible builds for SGX enclaves used in privacy-oriented deployments is a difficult task that lacks a convenient and robust solution. We describe using Nix to achieve reproducible and transparent enclave builds so that anyone can audit whether the enclave is running the source code it claims, thereby enhancing the security of […]

Celebrating our 2023 open-source contributions

Wed, 24 Jan 2024 09:00:22 -0500

At Trail of Bits, we pride ourselves on making our best tools open source, such as Slither, PolyTracker, and RPC Investigator. But while this post is about open source, it’s not about our tools… In 2023, our employees submitted over 450 pull requests (PRs) that were merged into non-Trail of Bits repositories. This demonstrates our […]

Our audit of PyPI

Tue, 14 Nov 2023 08:00:37 -0500

This is a joint post with the PyPI maintainers; read their announcement here! This audit was sponsored by the Open Tech Fund as part of their larger mission to secure critical pieces of internet infrastructure. You can read the full report in our Publications repository. Late this summer, we performed an audit […]

Adding build provenance to Homebrew

Mon, 06 Nov 2023 08:00:37 -0500

This is a joint post with Alpha-Omega—read their announcement post as well! We’re starting a new project in collaboration with Alpha-Omega and OpenSSF to improve the transparency and security of Homebrew. This six-month project will bring cryptographically verifiable build provenance to homebrew-core, allowing end users and companies to prove that Homebrew’s packages come from the official Homebrew CI/CD.

Trusted publishing: a new benchmark for packaging security

Tue, 23 May 2023 07:00:20 -0400

Read the official announcement on the PyPI blog as well! For the past year, we’ve worked with the Python Package Index to add a new, more secure authentication method called “trusted publishing.” Trusted publishing eliminates the need for long-lived API tokens and passwords, reducing the risk of supply chain attacks and credential leaks while also […]

Announcing a stable release of sigstore-python

Fri, 13 Jan 2023 10:00:58 -0500

Read the official announcement on the Sigstore blog as well! Trail of Bits is thrilled to announce the first stable release of sigstore-python, a client implementation of Sigstore that we’ve been developing for nearly a year! This work has been graciously funded by Google’s Open Source Security Team (GOSST), who we’ve also […]

We sign code now

Tue, 08 Nov 2022 07:30:15 -0500

Sigstore announced the general availability of its free and ecosystem-agnostic software signing service two weeks ago, giving developers a way to sign, verify and protect their software projects and the dependencies they rely on. Trail of Bits is absolutely thrilled to be a part of the project, and we spoke about our […]

Getting 2FA Right in 2019

Thu, 20 Jun 2019 06:50:12 -0400

Since March, Trail of Bits has been working with the Python Software Foundation to add two-factor authentication (2FA) to Warehouse, the codebase that powers PyPI. As of today, PyPI members can enable time-based OTP (TOTP) and WebAuthn (currently in beta). If you have an account on PyPI, go enable your preferred 2FA method before you […]