The crypto industry has gotten better at auditing code. But the devices the code runs on are still underprotected.
A compromised device is the cleanest path to a compromised key. If the device signing transactions or holding seeds hasn't installed its security updates, is sending out data it doesn't need to, has more services running than it actually uses, or was never properly cleaned, none of the rest matters. Most Web3 hacks don't start onchain, they start on someone's laptop.
This is the layer we built OSs Security to address.
What it does
OSs-security is an open-source toolkit with two things in it: hardening scripts and factory reset guides, for Linux, macOS, and Windows.
Run a single script and your machine moves from a default consumer configuration to a security-conscious baseline: firewall tightened, telemetry reduced, attack surface cut, logging enabled, unnecessary services disabled. Bash for Linux and macOS, PowerShell for Windows. Every control is readable. No telemetry, nothing phoning home, no account.
The factory reset guides cover the other side of the same problem: what to actually do when you suspect a device is compromised. Not "reinstall the OS and hope". The specific sequence of steps that actually clears persistent threats, on each of the three operating systems, written for someone who needs to do this under pressure.
The scripts have been audited by Sigma Prime and Coinspect.
Who it's for
OSs Security was built for solo devs, multisig signers, validator operators, and anyone who handles funds from a personal machine. It's free, open, and auditable.
The round
OSs Security was accepted into the Ethereum Security Round on Giveth; the first decentralized funding round of TheDAO Security Fund, a $220M staked endowment built from the unclaimed ETH recovered from the 2016 DAO hack.
The round runs through May 14, with over 100 projects participating. If you want to support OSs Security, you can donate here. Every donation, regardless of size, increases the project's share of the matching pool through quadratic funding. Thank you to everyone who already donated, and to TheDAO Security Fund for putting the round together.
What we found notable wasn't the matching pool. It was the eligibility list. Smart contract auditing was on it, but so were incident response, wallet safety, anti-phishing, security education, threat intelligence, DevSecOps tooling, and supply chain security. The same fund that's now defining what "Ethereum security" means in 2026 is drawing it as a much wider category than the public conversation usually does, and the audit firms themselves agree: many of them participated as supporters of the round.
SEAL ran five separate initiatives through the round. That matches what we see in the field. Most of the incidents today don't start with a smart contract bug.
What's next
OSs-security has over 100 commits, two completed audits, and active use by Opsek clients and the broader community. From here, we're expanding the toolkit: more Linux distributions, support for older macOS and Windows builds, threat-model-specific profiles (solo dev, multisig signer, validator, high-value target), video walkthroughs for non-technical users, continuous re-auditing as operating systems evolve, and localized guides in Spanish, Portuguese, Chinese, and Russian.
How to use it
The repo is at github.com/Opsek/OSs-security. The README walks you through running the hardening script and using the factory reset guides for each OS. The audit reports are in there too.
Pull requests and improvements are welcome.