Unverified code is the next national security threat

American infrastructure is powered by open-source software and no one knows who wrote it. That’s not hyperbole. It’s a structural vulnerability.

Every day, government agencies, contractors, and Fortune 500 companies deploy software built by anonymous developers and downloaded from public repositories into critical systems — sometimes with no scrutiny of who created it or whether it’s been compromised. As nation-state cyber actors grow more sophisticated, and as the global dependency on open-source software deepens, this issue is no longer just a tech problem. It’s a matter of national security.

Code is now a geopolitical attack surface

Open-source software is now a critical dependency in modern digital infrastructure — by some estimates, over 90% of all modern applications include open-source components. It powers critical infrastructure, supports hospitals, underpins financial systems, and runs inside defense technologies. But it often enters systems with no verification of its provenance or maintainers. This creates a new class of security risks, rooted in anonymity, opacity, and untraceable trust.

Recently, it was revealed that a popular Go library, easyjson, is maintained by a company listed on the U.S. sanctions list for ties to Russian state interests. In October 2024, the Linux kernel made waves when leaders announced that they removed several Russian Linux maintainers. And Huawei, a Chinese multinational telecommunications company, is a top 15 contributor to Kubernetes, which the Air Force runs in its fighter jets. These projects are not buried in dark web repositories — they are hiding in plain sight on GitHub and used in production systems globally.

One more example to bring this threat to life: Last year, a sophisticated backdoor was found in the widely used xz-utils compression library, shaking the cybersecurity world. The discovery revealed that attackers had spent years slowly gaining trust and inserting malicious code into a tool relied on by Linux distributions worldwide. This wasn’t a “smash and grab” hack. It was a long game, executed with surgical patience. Had it gone unnoticed, the backdoor could have become embedded in operating systems worldwide — including those used by federal contractors and sensitive national systems.

Open source is secure, but it isn’t safe

Open-source software itself isn’t the problem. In fact, it’s more secure than proprietary code thanks to public scrutiny and rapid iteration. But the way it is currently consumed — through unverifiable binaries and unknown maintainers — is dangerously opaque. Today, most organizations rely on binaries — precompiled software artifacts — from open repositories like GitHub or Docker Hub. They are rarely verified, their build processes are often ambiguous, and their maintainers could be basement hobbyists or well-placed, patient foreign actors.

The open-source ecosystem thrives on trust. But in an era of geopolitical tension and sophisticated cyber operations, trusting random strangers on the internet is no longer a rational option.

We need a better way to consume open source

Federal efforts to address software supply chain risks have picked up in recent years. The Biden administration issued EO 14028, emphasizing the need for software transparency and supply chain integrity. CISA and NIST have published frameworks to mitigate risk in critical infrastructure. However, the gap between awareness and action remains wide.

Today, there are no requirements for contractors to verify the provenance of the open-source tools they use. There are few incentives to adopt secure software development practices. And while Software Bills of Materials (SBOMs) may be widely discussed, they lack mass adoption and are poorly enforced.

Congress and federal agencies can take clear, immediate steps to secure the nation’s digital presence:

1. Mandate verifiable provenance of open-source components in all software used by federal agencies.
2. Incentivize reproducible builds and signed attestations through procurement preferences and grants.
3. Fund security audits and maintenance of critical open-source projects through the Technology Modernization Fund or similar initiatives.
4. Support digital identity frameworks that enable contributors to establish and verify trusted reputations.

Foreign adversaries know they can target open-source software. They’ve proven they’re willing to play the long game. That’s why we can no longer go on leveraging software without knowing who built it, how it was built, or whether it’s been compromised. If we keep trusting unverified code, we’re leaving the front door open.

Open source isn’t broken — but our systems for consuming and securing it are outdated. Until we fix that, we’re exposing our national infrastructure to invisible threats from unknown actors.

Dan Lorenc is the CEO and co-founder of Chainguard.