diff --git a/TI-reports/2026/2026-Q2-Repos-WG.md b/TI-reports/2026/2026-Q2-Repos-WG.md new file mode 100644 index 00000000..5f3baa27 --- /dev/null +++ b/TI-reports/2026/2026-Q2-Repos-WG.md @@ -0,0 +1,40 @@ +# 2026 Q2 Securing Software Repositories Working Group + +## Overview + +Package repositories are under attack. There are several ongoing campaigns that distribute replicating malware via the major package repositories. Previous security capabilities organized by this working group have been helpful, but additional security capabilities are needed to protect open source ecosystems. + +## Securing Software Repositories Working Group + +### Purpose + +Improve security of software repositories by providing a forum for discussion, a maturity model for security roadmaps, and guidance for individual security capabilities. These conversations, roadmaps, and guidance help ecosystems learn from each other, which accelerates the deployment of security capabilities. + +### Current Status + +- Recent attacks on package repositories + - Mitigating attacks with [npm preview of staged publishing](https://docs.npmjs.com/staged-publishing) + - Recommend that repositories using trusted publishing disable events from pull_request_target (implemented by npm, PyPI, and Rust Crates) + - Trusted publishing has been hugely valuable as a signal of suspicious packages, as well as a tool for incident response +- Welcome to our new co-chair Mike Fiedler; and thanks to former co-chair Dustin Ingram for his years of service +- We've accepted the Package Analysis and Malicious Packages projects from Securing Critical Projects WG + +### Up Next + +- [Make npm install scripts opt-in](https://github.com/npm/rfcs/pull/868)? + +### Funding requests and updates + +RSTUF is participating in the [summer 2026 LFX Mentorship funding request](https://github.com/ossf/tac/issues/573). + +No other funding request are in progress at this time. + +There are no plans currently to apply for additional funding. + +### Questions/Issues for the TAC + +None at this time! + +## Additional Information + +None at this time.