Get Started
Get Started

A New Standard in Software Supply Chain Intelligence:

Hunted Labs’ Principles for Open Source Security

The seven principles that anchor everything we do

Written by:

Hunted Labs

Share:

When the XZ Utils backdoor was discovered in March 2024, it validated what we long feared: sophisticated actors are systematically targeting the trust mechanisms of open source. Patient adversaries are willing to spend years building credibility within projects before introducing malicious code that could ripple throughout global infrastructure.

We founded Hunted Labs in direct response to this reality. There were tools for organizations to identify and review vulnerabilities and misconfigurations, but there was no way to evaluate who was behind critical open source code, no ability to measure contributor risk, assess potential for coercion, or map ownership and control in dependencies. This is the intelligence gap we fill. 

In reports like easyjson and fast-glob, we uncovered critical dependencies controlled by foreign organizations with ties to hostile states. These packages are deeply embedded across government, finance, and infrastructure, yet their risks remain largely invisible to existing security models. 

Our reports sparked intense debate within the community, like on Hacker News, where someone said, “If who wrote some code matters to you, then your supply chain management is simply insufficient.” We disagree. This popular sentiment underestimates human weakness, nihilism, and criminal behavior. It doesn’t take into account the compromise of maintainer accounts, straight-up phishing attacks, coercion, or subtle sabotage that could go undetected for years. 

The open source community’s greatest strength—its openness and trust—has become a systematic vulnerability that can be exploited. The community must evolve to match the sophistication of adversaries, their covert tactics, and the complexity of software supply chains.

The dependency on open source in every critical piece of technology, from defense to banking and critical infrastructure, creates an attack surface of foreign/malign ownership, control, and influence that extends beyond traditional cybersecurity boundaries. When a single package like leftpad can break thousands of applications, or when a backdoor in compression utilities can threaten global infrastructure, we’re operating in a threat landscape that existing security models weren’t designed to handle. 

We’re not suggesting that all foreign developers are suspect, or that nationality alone determines trustworthiness. Criminals come in all types. Our concern is structural: When critical infrastructure depends on packages maintained by individuals who, regardless of where they live, could be subject to state coercion—whether through legal frameworks, economic pressure, or direct intimidation—or act on their own ulterior motives, the industry needs better tools to assess and manage that risk.

We anchor everything we do—our research, our products, our investigations—on a core set of guiding principles. These are not abstract ideals; they are the framework we believe is necessary to defend the open source ecosystem and the critical systems built on top of it.

HUNTED LABS'

PRINCIPLES FOR SECURE OPEN SOURCE

1. Preserve and Strengthen Open Source

Open source software is vital for innovation, economic growth, and technological advancement. Any security framework must enhance, rather than restrict, the collaborative and global nature of open source development.

2. Trust Must Be Earned and Maintained

Trust is open source’s most valuable asset, but it should not be based on assumptions. Critical dependencies deserve ongoing verification, not blind faith.

3. Intelligence Informs Better Decisions & Risk Management

Effective security requires evaluating both technical factors (code quality, vulnerability management) and contextual factors (maintainer circumstances, governance structures, external pressures). Who maintains critical software, their circumstances, and potential pressure points, enables better risk management without compromising open source principles.

4. Community Collaboration Over Individual Burden

Rather than placing security responsibilities solely on volunteer maintainers, the community should develop shared tools and processes for managing supply chain risks.

5. Critical Infrastructure Deserves Special Attention

Packages used in national security systems, financial infrastructure, or other critical applications should meet higher standards for governance, transparency, and risk management.

6. Transparency in Risk Assessment

Security research should be conducted openly, with transparent methodologies and opportunities for community feedback and correction.

7. Practical Mitigation Over Perfect Solutions

Security is about managing risk, not eliminating it entirely. We should focus on practical measures that meaningfully reduce exposure while preserving open source values.

The XZ Utils backdoor was a harbinger. The question isn’t whether sophisticated actors will continue targeting the open source ecosystem—it’s whether we’ll develop the tools and processes needed to detect and prevent such attacks while preserving what makes open source valuable.

These protections are possible, but they require acknowledging that trust alone isn’t sufficient for critical infrastructure dependencies. It requires building systems that can verify trust at scale, support maintainers under pressure, and provide better intelligence about the risks we collectively face.

The future of open source security lies not in choosing between openness and security, but in integrating both into the development, maintenance, and consumption of open source software. That’s the challenge we’re committed to conquering and, as a team, we’re all in.

We are Hunters. We don’t wait for breaches to announce themselves—we search, investigate, and eliminate risks before they can be weaponized. We thrive on uncovering what others miss, applying logic to complexity, and relentlessly pursuing the next hunt.

Protecting the open source ecosystem is not optional. It is essential to national security, economic growth, and technological innovation. That’s why we hunt. 

Request a demo of Entercept, the first and only platform designed to identify and track foreign influence in your software.
Request a Demo
Back to Blog

Share

The Hunting Ground

Where the Wild Things Are: A Complete Analysis of Jia Tan’s GitHub History and the XZ Utils Software Supply Chain Breach

Hayden Smith

The following is a story about the recent XZ Utils security breach and how things came about. Formore context on the

View Article

Our Blog

Contributor Intelligence: Why People Behind the Code Matter More Than Ever

Hunted Labs

Vulnerabilities don’t show who controls your code. Contributor intelligence exposes hidden risks in open source supply chains.
View Article
Our Blog
Get Started
Get Started

Request A Demo

Fill out the form below so we can arrange a product demo for you.

    Request A Demo

    Fill out the form below so we can arrange a product demo for you.

    Thank You

    We have received your submission.