Google Launches OSS Rebuild to Expose Malicious Code in Widely Used Open-Source Packages

Google has launched OSS Rebuild, an initiative designed to strengthen open-source package security and prevent software supply chain attacks. The project provides build provenance for packages across Python Package Index, npm, and Crates.io registries, with plans for expansion to other platforms. OSS Rebuild uses declarative build definitions, instrumentation, and network monitoring to generate security metadata that validates package origins and detects tampering. The system automatically determines build definitions for target packages, rebuilds them, and semantically compares results with upstream artifacts whilst normalizing for instabilities. Successful rebuilds produce SLSA Provenance attestations enabling origin verification and repeatable builds. The initiative can identify various supply chain compromises, including packages containing undisclosed code, suspicious build activity, and unusual execution paths difficult to detect manually. Beyond security improvements, OSS Rebuild enhances Software Bills of Materials, accelerates vulnerability response, and reduces organizational reliance on CI/CD platforms for package security verification.​​​​​​​​​​​​​​​​