Skip to content
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
40 changes: 40 additions & 0 deletions TI-reports/2026/2026-Q2-Repos-WG.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
# 2026 Q2 Securing Software Repositories Working Group

## Overview

Package repositories are under attack. There are several ongoing campaigns that distribute replicating malware via the major package repositories. Previous security capabilities organized by this working group have been helpful, but additional security capabilities are needed to protect open source ecosystems.

## Securing Software Repositories Working Group

### Purpose

Improve security of software repositories by providing a forum for discussion, a maturity model for security roadmaps, and guidance for individual security capabilities. These conversations, roadmaps, and guidance help ecosystems learn from each other, which accelerates the deployment of security capabilities.

### Current Status

- Recent attacks on package repositories
- Mitigating attacks with [npm preview of staged publishing](https://docs.npmjs.com/staged-publishing)
- Recommend that repositories using trusted publishing disable events from pull_request_target (implemented by npm, PyPI, and Rust Crates)
- Trusted publishing has been hugely valuable as a signal of suspicious packages, as well as a tool for incident response
- Welcome to our new co-chair Mike Fiedler; and thanks to former co-chair Dustin Ingram for his years of service
- We've accepted the Package Analysis and Malicious Packages projects from Securing Critical Projects WG

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you pls shed some light on what's next for these projects following this transition?

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Our intention is for the projects to continue to operate as they were. There is some maintenance in there, but mostly this involves the Malicious Packages project reviewing and publishing submissions from security researchers. Malicious Packages maintainers have also been proactively notifying operators of package repositories during large-scale campaigns, which we greatly appreciate.

There has been increased security researcher activity since about September of last year, as package managers have seen more frequent and larger scale malware campaigns.


### Up Next

- [Make npm install scripts opt-in](https://github.com/npm/rfcs/pull/868)?

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What role do you expect the WG to take in this, advising, helping with implementation, etc.?

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We would definitely appreciate folks who operate other package repositories to share any relevant experiences and learnings on the RFC. In this particular case, many existing package repositories have avoided making this design decision, but when it's successfully implemented we'll add it to our guidance on https://repos.openssf.org/ for newer / future package repositories to learn from.


### Funding requests and updates

RSTUF is participating in the [summer 2026 LFX Mentorship funding request](https://github.com/ossf/tac/issues/573).

No other funding request are in progress at this time.

There are no plans currently to apply for additional funding.

### Questions/Issues for the TAC

None at this time!

## Additional Information

None at this time.