Subscribe to the Non-Human & AI Identity Journal

What do security teams get wrong about package ecosystem trust?

They often assume trusted registries and familiar maintainers are enough to validate safety. In practice, malicious updates can still execute after installation, and the real exposure comes from what the code can reach next, especially secrets, signing keys, and deployment credentials. Trust in provenance must be matched by runtime controls and secret separation.

Why This Matters for Security Teams

Package ecosystems are treated as if registry trust equals code trust, but that assumption misses the main risk: install-time provenance does not constrain what a package can do once it runs. A dependency can look legitimate, pass review, and still reach out to secrets, signing keys, CI/CD tokens, or cloud metadata at runtime. That is why controls focused only on publisher reputation or pinned versions are incomplete. NIST’s guidance on software and identity controls in NIST SP 800-53 Rev 5 Security and Privacy Controls is useful here, but it has to be applied with package-level runtime containment in mind. NHIMG research on the LiteLLM PyPI package breach shows how quickly trusted distribution can still lead to stolen credentials when runtime access is broad. In practice, many security teams discover package trust failures only after secrets have already been harvested from build or deployment environments, rather than through intentional review of package reachability.

How It Works in Practice

Effective package ecosystem trust combines provenance checks with blast-radius reduction. A signed package or a trusted maintainer helps answer who published the artifact, but it does not answer whether the package should be allowed to read files, open network connections, access environment variables, or touch the package manager token that installed it. Security teams should separate these concerns and treat runtime permissions as the real control point.

Practical controls usually include:

  • Pinning exact versions and verifying hashes so build inputs are deterministic.
  • Using allowlisted registries and verified publishers, while assuming any dependency may still be compromised later.
  • Running installs and tests in isolated build environments with no long-lived secrets present.
  • Passing only task-specific, short-lived credentials to the process that actually needs them.
  • Segmenting secrets so a package cannot automatically reach signing keys, deployment tokens, or cloud credentials.

That last point matters because runtime exposure is often wider than the package’s apparent purpose. NHI Management Group’s Ultimate Guide to Non-Human Identities notes that 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools. Once package execution is allowed near those locations, provenance becomes secondary to containment. Current guidance suggests treating each dependency as a workload with its own identity and least-privilege boundary, not as a harmless library that inherits trust from the registry. That means secret separation, ephemeral tokens, and runtime policy checks should be enforced together, not as optional add-ons. These controls tend to break down in CI/CD runners that reuse credentials across jobs because one compromised dependency can then move laterally into the release pipeline.

Common Variations and Edge Cases

Tighter package controls often increase build friction, requiring organisations to balance developer velocity against reduced supply-chain risk. The tradeoff becomes sharper in monorepos, polyglot stacks, and rapid-release environments where dependency churn is high and teams rely on shared build agents. Best practice is evolving, but there is no universal standard for how much runtime access a package should receive beyond the principle of least privilege.

Some edge cases need special handling. Internal packages are not automatically safe just because they are private, and mirrored registries can still distribute compromised code if the upstream artifact was already poisoned. Native extensions, post-install scripts, and transitive dependencies are especially risky because they execute with the same environment context as the parent package. In agentic or automated build systems, that context may also include orchestration tokens and signing material, which turns a simple library compromise into a release compromise. Where possible, teams should inspect whether the package actually needs outbound network access, file-system writes, or access to environment variables before allowing it into production pipelines.

This is why NHIMG treats package trust as a workload identity problem as much as a software provenance problem. Provenance reduces uncertainty; it does not replace runtime isolation, secret hygiene, or explicit authorization boundaries. Security teams that ignore that distinction usually end up responding to secret exposure after the package has already been installed and executed.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 and OWASP Agentic AI Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST Zero Trust (SP 800-207) and NIST AI RMF set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Non-Human Identity Top 10 NHI-05 Covers secret exposure from workloads that can reach sensitive runtime material.
NIST CSF 2.0 PR.AC-4 Least privilege is central when package code can execute beyond its intended scope.
NIST Zero Trust (SP 800-207) SC-10 Zero trust demands runtime verification instead of assuming trusted provenance is enough.
NIST AI RMF AI-driven build and dependency flows need governance around unpredictable execution paths.
OWASP Agentic AI Top 10 A3 Autonomous tool use and chained execution increase the impact of poisoned dependencies.

Constrain tool access and secrets so automated workloads cannot escalate through package execution.