New solution delivers end-to-end protection for open-source dependencies – from verified origin to perpetual patching
TuxCare, a global innovator in securing open source, today announced the launch of SecureChain, a groundbreaking solution that’s uniquely designed to secure open-source software dependencies for as long as organizations rely on them: verified at adoption, secured in production, and patched past end of life.
TuxCare has long been a leader in securing open-source software beyond its supported lifecycle through its Endless Lifecycle Support (ELS) services. SecureChain extends that expertise upstream by bringing the same engineering rigor to actively maintained open-source packages and ensuring continuous protection from adoption through obsolescence. With SecureChain, organizations no longer have to choose between the speed of open source and the security of controlled software environments. They can have both.
Coinciding with the disrupted impact of Anthropic’s Project Glasswing, SecureChain arrives at a critical inflection point for the software industry – where AI-driven vulnerability discovery is accelerating faster than organizations can actually respond, and when regulatory frameworks, such as the EU Cyber Resilience Act, are tightening accountability for every line of code shipped. SecureChain directly addresses this new reality.
TuxCare’s SecureChain is the only solution built around the customer’s timeline instead of the lifecycle of open-source libraries. While every open-source component eventually reaches end of life (EOL), enterprise reliance on those components often continues. SecureChain ensures that software remains secure for as long as it is in use. From the moment a package is introduced, SecureChain rebuilds it from verified source code, scans it for malicious code, and delivers it with full provenance. Over time, it continuously monitors for vulnerabilities and applies patches – even after the original maintainers have moved on.
Also Read: CIO Influence Interview with Gihan Munasinghe, CTO of One Identity
This dual approach defines SecureChain’s core differentiation:
— Trusted (Day One): Every package is rebuilt in a curated repository, eliminating risks such as tampered artifacts, typosquatting, hijacked binaries, and malicious code injections. Each package includes SLSA Level 3 provenance, Software Bill of Materials (SBOM), and Vulnerability Exploitability eXchange (VEX) data.
— Secured (Ongoing): Continuous CVE monitoring and patching ensure that vulnerabilities are addressed in real time. When libraries reach EOL (where nearly half of exploitable vulnerabilities occur) TuxCare engineers backport fixes to the exact versions in production. No forced upgrades. No disruptive rewrites.
Capabilities Across Major Open-Source Ecosystems
SecureChain delivers robust coverage across the most widely used open-source ecosystems, replacing public registries with secure, curated alternatives:
— npm (JavaScript) – A safer npm supply chain with verified packages rebuilt from source, continuous patching, and protection against malicious dependencies and transitive risk.
— PyPI (Python) – Verified Python packages with full dependency transparency, continuous vulnerability remediation, and protection from compromised or unmaintained libraries.
— Maven (Java) – Trusted Java artifacts with deep visibility into complex dependency trees and ongoing patch support for enterprise-grade applications.
— Go Modules – Secure module sourcing with validation, patching, and protection from decentralized and unverified dependency risks.
— Rust (crates.io) – Verified crates with continuous security coverage, ensuring trust across modern, performance-focused applications.
Each ecosystem is supported by SecureChain’s curated repository model, which blocks threats at install time while maintaining continuous protection throughout the software lifecycle.
SecureChain debuts with immediate, production-ready capabilities:
— Coverage for the most depended-on packages in the npm registry, with Python, Java, Go, Rust, and PHP to follow
— Ability to request any package not already in the catalog, including both secure repository inclusion and ELS coverage
— Drop-in compatibility with standard package managers and repository managers like Artifactory, Nexus, and GitHub Packages, requiring no changes to existing workflows
— Flat per-ecosystem pricing with discounted site licensing options
“This launch comes at a moment when AI is exposing vulnerabilities across open-source dependencies faster than organizations can realistically respond and while attackers are moving just as quickly to exploit them,” said Michael Canavan, Chief Revenue Officer at TuxCare. “Our SecureChain gives teams a practical way to regain control by ensuring every dependency is verified at intake and continuously secured for the entire time it remains in production. And that’s even long after the original maintainers have moved on.”
Catch more CIO Insights: CIO as Orchestrator of Cross-Functional Digital Strategy
[To share your insights with us, please write to psen@itechseries.com ]
