Securing Hex, the Backbone of the Elixir Ecosystem

The Erlang Ecosystem Foundation’s (EEF) Security Working Group prudently launched the Ægis Initiative in 2025 to improve supply chain integrity for the overall Erlang and Elixir ecosystem. Jonatan Männchen (EEF CISO) and Alistair Woodman (EEF Board President) are the project leads, who have worked tirelessly to ensure the security and health of this critical infrastructure. The Supply Chain Security Audit project under Ægis scoped out a full assessment of the Hex Package Manager and related software. Hex boasts over 14 billion all time downloads, over 24,000 available packages, and is a vital asset for all companies using the Elixir, Erlang, and Gleam languages. Two firms were selected to perform this audit: Paraxial.io and zentrust partners GmbH. The Hex project has published an excellent summary of the work on their blog.

The funding for this work was generously provided by Alpha-Omega, an associated project of the Open Source Security Foundation (OpenSSF) and The Linux Foundation. Funding for Alpha-Omega is provided by Anthropic, AWS, Citi, GitHub, Google, Google DeepMind, Microsoft, and OpenAI. These organizations are deeply committed to improving the security of the open source ecosystem, as shown by their real world action. Their financial support directly protects the foundation of our digital infrastructure. Paraxial.io was honored to be selected as a recipient of this grant, for the security assessment of Hex.

What were the key results?

1. A remote code execution (RCE) vulnerability was found in the Hex Elixir client, before it could be published in a release. Michael Lubas (Paraxial.io) worked with Jonatan Männchen (EEF CISO) and Eric Meadows-Jönsson (Hex Creator) to ensure this vulnerability was fixed and never affected the ecosystem.
2. The GitHub Actions pipelines and release infrastructure of Hex and several core projects were in-scope for security testing during the engagement. On March 19th, 2026, one day after the Paraxial.io remediation re-test, the threat actor TeamPCP compromised Aqua Security's Trivy project through GitHub Actions tag hijacking and CI/CD exploitation, subsequently expanding to Checkmarx KICS and LiteLLM. The Paraxial.io engagement confirmed the Erlang and Elixir ecosystem was not vulnerable, no projects were found to be exploitable, and the security scanner Zizmor was added as an additional layer of defense.
3. While there were some medium and low severity findings, overall the conclusion of both Paraxial.io and zentrust is that Hex is a robust base for the entire ecosystem. The software is well designed, supported by an excellent team, and has active mechanisms in place to deal with security threats.

The full report by Paraxial.io is public. Security is a constantly evolving field, and there is certainly more work to be done. On behalf of the Elixir and Erlang ecosystem, Paraxial.io would like to thank everyone who made this work possible.

Thank you to Jonatan Männchen, Alistair Woodman, and the EEF Security Working Group for creating the Ægis Initiative and making this engagement happen. Their leadership sets the standard for how open source ecosystems should approach security.

Thank you to Eric Meadows-Jönsson and the Hex core team, whose years of thoughtful engineering are the reason this audit found so few issues. A pentest can only confirm what good builders already put in place, and Hex reflects excellent design decisions at every level.

Thank you to Alpha-Omega, OpenSSF, The Linux Foundation, and backers Anthropic, AWS, Citi, GitHub, Google, Google DeepMind, Microsoft, and OpenAI. Your investment in ecosystem security benefits every developer and company building on Elixir, Erlang, and Gleam, from individual students to multinational corporations. We are grateful for your support, and will continue building on the safe foundation you helped lay.

Paraxial.io stops data breaches by helping developers ship secure applications. Get a demo or start for free.