RapidFort & ReversingLabs add security checks to libraries
Wed, 8th Jul 2026 (Today)
RapidFort and ReversingLabs have partnered to offer open-source dependency libraries with independent security validation. The catalogue is now available for Python and Java.
The partnership combines RapidFort's library curation and hardening process with analysis from ReversingLabs' Spectra Assure platform. Each package is checked for tampering, malware, and known vulnerabilities before release to developers.
RapidFort is positioning the offering as a way for companies to keep using existing package management tools instead of moving to a proprietary system. The libraries work through standard interfaces, including pip, Maven, npm, and operating system package tools already used by development teams.
That is significant in a market where software supply chain security has become a growing concern for large organisations that rely on open-source components. Attacks on widely used packages and malicious code hidden in dependencies have pushed buyers to seek greater scrutiny of third-party software before it enters build systems.
How it works
Under the partnership, RapidFort applies what it describes as a multi-stage hardening pipeline to open-source packages. ReversingLabs then conducts a separate review using deep binary analysis, cryptographic and structural checks, and comparisons between package versions to identify suspicious changes.
Packages that fail ReversingLabs' policies are blocked from the catalogue until the issues are addressed. Each release also includes a security report from ReversingLabs for customers, auditors, and regulators.
Coverage now includes Python and Java libraries in general availability, while JavaScript remains in closed beta. Operating system package support is already available for Red Hat, Ubuntu, Debian, and Alpine.
RapidFort said the combined process helps customers cut compliance timelines by three to six months. It also said its attack surface reduction and source-verified hardening process has helped customers eliminate up to 99.9% of CVEs from container images.
Executive views
Mario Vuksan, Founder and CEO, ReversingLabs, described the partnership as a response to threats being embedded more deeply in software components.
"ReversingLabs was built on the conviction that software security requires deep binary intelligence," said Mario Vuksan, Founder and CEO, ReversingLabs.
"Malicious actors are increasingly compromising open-source components, embedding threats deep within the layers of container images that traditional tooling cannot reach. By bringing Spectra Assure's independent malware analysis to every package in the RapidFort library catalog, together we give enterprises access to open-source dependencies that are both rigorously hardened and independently assessed clean before they ever enter a build pipeline," Vuksan said.
RapidFort CEO Mehran Farimani said the company saw value in having an outside security firm validate software packages rather than relying only on its own checks.
"ReversingLabs is the gold standard for binary malware analysis," said Mehran Farimani, CEO, RapidFort.
"By embedding Spectra Assure analysis into our library release pipeline as an independent validation gate, we've created something the industry has been missing-a library catalog where the security claim is made by a separate company with its own reputation on the line. That's a fundamentally different level of trust," Farimani said.
Market backdrop
The partnership reflects a broader push by security vendors to address weaknesses in open-source software supply chains without forcing customers to rebuild development workflows. Many tools focus on source code scanning, vulnerability databases, or software bills of materials, but buyers have also been seeking ways to inspect the final software artefacts that reach production.
ReversingLabs has built its business around file and binary inspection, while RapidFort has focused on reducing risk in container images and open-source software distributions. Bringing those approaches together gives RapidFort an external validation layer and gives ReversingLabs a route into package catalogues used directly by software teams.
For enterprise buyers, the pitch is straightforward: keep existing operating systems, frameworks, and package managers, but add a separate review step before dependencies reach internal environments. Support currently spans multiple application stacks and operating system packages, with JavaScript next through a limited beta programme.
ReversingLabs said its underlying threat intelligence dataset covers billions of files and draws on decades of malware research.