Google has launched a new initiative, OSS Rebuild, designed to enhance the security of open-source ecosystems and reduce the risk of software supply chain attacks.

With supply chain threats increasingly targeting commonly used dependencies, OSS Rebuild provides security teams with actionable insights to identify compromised packages—without adding extra responsibility to upstream developers. This initiative was detailed in a blog post by Matthew Suozzo from the Google Open Source Security Team (GOSST).

The OSS Rebuild project focuses on generating verifiable build provenance for packages across major repositories such as PyPI (Python), npm (JavaScript/TypeScript), and Crates.io (Rust). Google also plans to expand coverage to more open-source ecosystems.

At the core of OSS Rebuild is a system that uses declarative build definitions, build instrumentation, and network behavior analysis to generate secure and trustworthy metadata. This metadata can then be used to validate a package’s origin and confirm it hasn’t been tampered with during the build process.

Google explained that their system uses automation and heuristic analysis to create a build definition for each package, rebuilds it, and then performs a semantic comparison against the original artifact. This comparison includes normalization steps (e.g., dealing with archive compression) to avoid false mismatches due to minor technical differences.

When a package is successfully rebuilt, OSS Rebuild publishes the build definition and results as a SLSA Provenance attestation. This allows users to verify the origin, replicate the build, or customize it starting from a secure and known configuration.

In cases where automation falls short, OSS Rebuild provides a manual build specification for developers to use.

This approach helps detect various forms of supply chain compromise, including:

• Packages containing hidden or unauthorized code not found in the public source repository (e.g., @solana/web3.js)
• Suspicious or anomalous build behavior (e.g., tj-actions/changed-files)
• Obscure or dangerous execution paths that evade typical manual inspection (e.g., the XZ Utils backdoor incident)

Beyond mitigating supply chain threats, OSS Rebuild also enhances Software Bills of Materials (SBOMs), accelerates vulnerability response, and increases trust in packages—reducing reliance on CI/CD pipelines for package security.

According to Google, all rebuilds are based on publicly available metadata and artifacts. When the rebuild process is successful, it results in a verified attestation confirming the integrity of the original upstream artifact, eliminating numerous potential attack vectors.

Source: https://thehackernews.com/2025/07/google-launches-oss-rebuild-to-expose.html