Safeguard
Threat Research

Artifact Tampering and Integrity: Trusting What You Actually Ship

Artifact tampering alters a build output after it leaves source control, so what you deploy differs from what you reviewed. Here is how it works and how to verify integrity.

Marcus Chen
Security Researcher
6 min read

Artifact tampering is a supply-chain attack in which an adversary modifies a software artifact — a compiled binary, a package tarball, a container image, or an installer — at some point after it leaves source control and before it reaches its consumer, so that what gets deployed differs from what was written and reviewed. Artifact integrity is the defensive discipline that answers a single, deceptively hard question: is this exact artifact the one that was built from the source I trust, unchanged since? The reason this matters so much is that most of the supply chain runs on artifacts, not source. Developers publish tarballs, ship container images, and distribute installers, and downstream consumers almost never rebuild from source to check. That gap — between the source everyone can inspect and the binary everyone actually runs — is exactly where tampering hides.

How artifact tampering works

Tampering can happen anywhere along the path from build to consumption: on a build server after compilation but before signing, in a package registry or mirror, on a content-delivery network, or in a release tarball assembled separately from the source repository. The most insidious variant exploits the fact that many projects distribute artifacts that are not byte-for-byte reproducible from their public source, so no one notices when the distributed version contains extra code.

Integrity is normally asserted with a cryptographic hash. A publisher computes a digest and consumers verify it:

# publisher records the digest
sha256sum app-release.tar.gz > app-release.tar.gz.sha256

# consumer verifies before installing
sha256sum -c app-release.tar.gz.sha256

The weakness is trust in where the hash and the artifact come from. If an attacker can alter both the artifact and its published checksum, or if the artifact is signed by a compromised key, verification passes on a tampered file. The strongest defenses therefore bind an artifact not just to a hash but to a verifiable record of how and from what source it was built.

Real-world artifact tampering incidents

The XZ Utils backdoor, tracked as CVE-2024-3094 and discovered in March 2024, is the clearest recent illustration of the source-versus-artifact gap. A long-term contributor operating as "Jia Tan" spent months building trust, then planted a backdoor in the liblzma component. Critically, the malicious code was not present in the human-readable Git source in an obvious form; it was hidden in obfuscated test files and activated by build scripts that only ran when the release tarball was assembled. Anyone reading the repository saw clean code, while the distributed tarball built a backdoor into the library — a near-perfect example of why verifying the source is not the same as verifying the artifact. It was caught by chance, when a Microsoft engineer investigated a small performance anomaly.

The 2020 SolarWinds attack tampered with artifacts at build time: the SUNBURST backdoor was injected into the Orion binary during compilation and then signed with SolarWinds' legitimate certificate, so the tampered artifact carried a valid signature and sailed through every downstream integrity check. And the 2021 Codecov incident tampered with a distributed script — the Bash Uploader — hosted for download, so consumers who fetched and ran it received a modified version that quietly exfiltrated their secrets. In each case the artifact diverged from the trustworthy source, and conventional signing either was subverted or simply did not exist.

How to detect and defend against artifact tampering

Integrity defense moves from "trust the hash" to "verify the provenance":

  • Generate and verify build provenance. Use SLSA-style signed attestations and in-toto to bind each artifact to its source commit, build steps, and builder identity, then verify that provenance before deploying.
  • Adopt keyless signing with transparency. Sigstore (Cosign) signs artifacts and records signatures in a public transparency log, so a tampered or unexpectedly re-signed artifact is detectable.
  • Pursue reproducible builds. When a build is deterministic, independent parties can rebuild from source and confirm the published artifact matches bit for bit — the property whose absence let the XZ backdoor hide in the tarball.
  • Pin by immutable digest. Reference container images and dependencies by content hash rather than mutable tags, so a registry cannot silently swap the bytes under a familiar name.
  • Verify at every hop. Check integrity at build, at publish, and at deploy, since tampering can be introduced at any of them.

How Safeguard helps

Artifact integrity depends on knowing exactly what is inside every artifact and whether it matches a trustworthy origin. Safeguard generates and ingests an SBOM for every build, producing a precise, verifiable inventory of the components in each artifact so an unexpected addition — the kind of divergence the XZ tarball represented — is visible rather than buried. Software composition analysis resolves those components to exact versions and ties them to their provenance, and container security scanning inspects images layer by layer and pins them by digest so a tampered or swapped layer is caught before it deploys. Griffin AI adds behavioral and exploitability context so a suspicious component in an artifact is prioritized rather than lost in a flat list, and automated fix pull requests drive verified, digest-pinned replacements through your pipeline. For teams comparing how platforms handle integrity and SBOM verification, our comparison page lays out the differences.

The artifact, not the source, is what runs in production. Verify that every artifact you ship is provably the one your trusted source produced, because attackers count on the gap between the two.

Frequently Asked Questions

How is artifact tampering different from a build pipeline compromise? A build pipeline compromise is one way to tamper with an artifact — by injecting code during the build — but tampering can also happen after the build, in a registry, a mirror, a CDN, or a separately assembled release tarball. Artifact tampering describes the broader outcome: the deployed artifact no longer matches the trusted source, wherever the change was introduced.

Does signing an artifact guarantee it has not been tampered with? No. Signing only proves the artifact was signed by a particular key. If that key is compromised, as in SolarWinds, or if the malicious code was baked in before signing, the signature validates a tampered artifact. Provenance that binds the artifact to its source and build, plus transparency logs, provide assurance that a signature alone cannot.

Why do reproducible builds matter for integrity? Reproducible builds make a build deterministic, so independent parties can rebuild from source and confirm the published artifact matches byte for byte. That property directly closes the gap the XZ Utils backdoor exploited, where the distributed tarball contained code that the reviewable source did not obviously produce.

What is SLSA and how does it help? SLSA (Supply-chain Levels for Software Artifacts) is a framework of increasing assurances about how an artifact was produced, centered on generating signed provenance that records the source, build process, and builder. Verifying that provenance before deployment lets consumers reject artifacts that did not come from the expected source and pipeline.

Start verifying your artifacts at app.safeguard.sh/register, and find integration guides at docs.safeguard.sh.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.