In December 2024, a developer named Jossef Harush Kadouri discovered that someone had published @backstage/core, a package name suspiciously close to Spotify's widely-used Backstage framework. It contained a reverse shell. Before it was pulled, automated CI/CD pipelines had already installed it.
This is the world we live in now. And it's about to get much worse.
The Problem No One Wants to Talk About
Right now, AI agents are installing packages on behalf of developers. Claude writes code and suggests pip install. GPT-4 recommends libraries it has never verified. Autonomous coding agents run npm install in sandboxes that aren't as sandboxed as you think.
The supply chain attacks we've already seen were targeting humans:
- event-stream (2018): A maintainer handed off a popular npm package to a stranger who injected cryptocurrency-stealing malware. 8 million weekly downloads compromised.
- ua-parser-js (2021): The maintainer's npm account was hijacked. Cryptominers and password stealers pushed to 7 million weekly downloads.
- colors.js / faker.js (2022): The actual maintainer deliberately corrupted his own packages in protest, breaking thousands of applications including Amazon's CDK.
-
PyPI typosquatting (2023-present): Hundreds of malicious packages mimicking popular names —
requestsvsreqeusts,python-dateutilvspython-dateutl.
These attacks relied on humans not reading the code. Now imagine the same attacks targeting systems that cannot read the code — AI agents that install whatever their training data suggests.
An LLM doesn't know that beautifulsoup5 is not the successor to beautifulsoup4. It doesn't know that python-binance was once compromised. It just installs what the pattern-matched training data says to install.
We need a trust layer between open source and the machines consuming it.
BCOS: Blockchain Certified Open Source
BCOS is a human-review certification standard for open source repositories. The rules are simple:
| Requirement | What It Means |
|---|---|
| Source Readable | All code available and human-readable. No minified blobs, no obfuscated payloads |
| No Hidden Network Calls | Code only contacts endpoints documented in README or config |
| No Credential Harvesting | Does not collect, exfiltrate, or phone home with user data |
| Declared Dependencies | All dependencies listed in manifest (requirements.txt, package.json, etc.) |
| Build Reproducible | Same inputs produce same outputs |
| License Clear | Open source license present and compatible |
| Human Reviewed | At least one named human has read the source and signed off |
That last point is the critical one. A real person reads every line of source code. Not a linter. Not a static analysis tool. Not an AI scanning for patterns. A human who understands context, intent, and the difference between a legitimate HTTP call and a data exfiltration endpoint disguised as telemetry.
Why Blockchain?
"Why not just a badge on GitHub?" Fair question.
Because badges can be forged. A CERTIFIED.md file can be added to any repo by anyone. A green shield on a README doesn't prove anything.
BCOS attestations are recorded on the RustChain blockchain. This gives you:
Immutability — Once recorded, a certification cannot be silently revoked or backdated. If a package was certified on February 15, 2026, that's a permanent, verifiable fact.
Provenance — You can see who reviewed the code, when they reviewed it, and which commit hash they reviewed. The reviewer's identity is tied to their attestation history.
Tamper Evidence — If a certified package is later compromised (maintainer account hijack, for example), the certification points to a specific commit. Any divergence from that commit is immediately detectable.
Decentralization — RustChain's Proof-of-Antiquity consensus means the attestation chain itself runs on verified real hardware. The nodes validating your certification are provably physical machines, not VM farms.
What Certification Looks Like
When a repository passes BCOS review, it gets a badge and an on-chain record:
[](https://github.com/Scottcjn/Rustchain/blob/main/BCOS.md)
Which renders as:
Add that to your README, and anyone — human or AI — can verify:
# Verify any BCOS-certified repo
pip install clawrtc
clawrtc verify-bcos https://github.com/your-org/your-repo
The verification checks the on-chain attestation, confirms the commit hash matches, and validates the reviewer's signature.
The Scale So Far
We've certified 74 repositories across the Elyan Labs ecosystem. These include:
- clawrtc — RustChain miner CLI and wallet (PyPI)
- beacon-skill — Agent discovery and orchestration (PyPI)
- bottube — BoTTube video platform SDK (PyPI)
- grazer-skill — Multi-platform content discovery (PyPI)
Every one of these packages was reviewed line by line. Every network call documented. Every dependency declared. Every build reproducible.
What This Means for AI Agent Developers
If you're building autonomous agents that install packages, BCOS gives you a verification path:
import subprocess
import json
def is_bcos_certified(package_url: str) -> bool:
"""Check if a package has BCOS certification before installing."""
result = subprocess.run(
["clawrtc", "verify-bcos", package_url, "--json"],
capture_output=True, text=True
)
if result.returncode == 0:
data = json.loads(result.stdout)
return data.get("certified", False)
return False
# Before your agent installs anything:
if is_bcos_certified("https://github.com/some-org/some-package"):
subprocess.run(["pip", "install", "some-package"])
else:
print("WARNING: Package not BCOS certified. Requires human approval.")
This is a pre-install gate. Your agent checks the chain before executing pip install. If the package isn't certified, it escalates to a human. Simple, effective, and it stops the entire class of supply chain attacks that target automated systems.
"But This Doesn't Scale"
You're right. One person can't review every npm package. That's not the point.
BCOS isn't trying to certify all of open source. It's certifying the packages that AI agents actually install. The long tail of rarely-used packages that agents stumble upon through training data pattern matching — those are exactly where supply chain attacks hide.
The model is:
- Agent encounters unfamiliar package
- Checks BCOS certification — if certified, proceed
- If not certified — flag for human review, suggest certified alternatives
- Community grows the certified list — reviewers earn RTC tokens for auditing packages
Over time, the most commonly-requested packages get certified first. The certification database becomes a living, blockchain-backed "known good" list for the AI agent ecosystem.
How to Get Involved
Certify your own repos:
Submit a review request at rustchain-bounties. Human reviewers audit your source and, on approval, you get the badge and on-chain attestation.
Review other repos:
Reviewers earn RTC tokens for completing audits. If you can read code and identify supply chain risks, there's a bounty waiting.
Read the spec:
The full BCOS specification is at github.com/Scottcjn/Rustchain/blob/main/BCOS.md.
Integrate into your agent:
Use clawrtc verify-bcos as a pre-install check. Five minutes of integration prevents an entire class of attacks.
The AI agent era is coming whether we're ready or not. Agents will install packages, run code, and make decisions about trust. The question is whether that trust is informed by human verification or by pattern matching against training data that includes every typosquatted package on PyPI.
BCOS is betting on humans.
BCOS is an initiative of Elyan Labs and the RustChain project. Scott Boudreaux is the founder of Elyan Labs and the creator of RustChain's Proof-of-Antiquity consensus.
Top comments (0)