Staff Supply Chain & Build-System Security Engineer

About The Position

Requirements

• 7+ years in security with a strong concentration in software supply chain, build systems, or product security, plus a credible development background.
• Proven track record translating complex findings into technical and executive-level debriefs. Excellent written and verbal communication is essential.
• Deep npm internals fluency, publish flow, registry mechanics, Trusted Publisher and OIDC for publishing, plus working depth across PyPI, Maven Central, and NuGet.
• Hands-on dependency analysis and reachability-based prioritization across multiple languages.
• Working knowledge of SBOMs, build provenance, and artifact signing, including SLSA, in-toto, and Sigstore, and how to enforce them in a real pipeline.
• Experience hardening build environments, git actions, runner isolation, and locked-down secrets handling.
• Hands-on malicious-package triage and static reverse engineering of obfuscated JavaScript and Python.
• Client-side supply-chain investigation experience (Magecart-class, CDN compromise, browser-bundle dependency confusion).
• Experience with AI accelerated development / supply chain scanning methodologies.

Responsibilities

• Lead Wayfinder Frontier AI Services customer engagements focused on software supply chain risk end-to-end — scope, deliver, and present findings to customer engineering and security leadership.
• Review and triage supply chain findings from our agentic code scanning pipeline, validate true positives, eliminate noise, prioritize by real exploitability in the customer's environment, and ensure every finding that reaches the customer is a decision they can act on.
• Investigate malicious-package incidents: triage suspected compromise, reverse engineer obfuscated install scripts (bun_environment.js-class), identify blast radius, and build customer deliverables.
• Build dependency-graphs and reachability analyses across npm, PyPI, Maven, NuGet, Go modules, and Rust crates, document and prioritize findings.
• Build and review SBOMs and AIBOM artifacts.
• Deliver recommendations on hardening of customer CI/CD pipelines; GitHub Actions, Pinning, OIDC, Trusted Publisher migration, Harden-Runner deployment, runner identity scoping.
• Cover client-side supply chain risk in customer engagements.

Benefits

• Restricted Stock Units (RSUs)
• Employee Stock Purchase Plan (ESPP)
• Flexible time off
• Paid company holidays and paid sick time
• Gender-neutral parental leave
• Grandparent leave
• Medical, dental, and vision coverage
• 401(k) retirement plan with company match
• Life and disability insurance
• Health and dependent care FSA
• Voluntary benefits (hospital, accident, critical illness)
• Employee Assistance Program (EAP)
• ARAG pre-paid legal
• Nationwide pet insurance
• Cancer Care program
• Global business travel medical insurance
• Home office allowance
• Mobile phone reimbursement
• Wellness coach
• Wellness/gym reimbursement
• Fertility coverage
• Adoption & surrogacy reimbursement