diff --git a/internal/nix/nix.go b/internal/nix/nix.go
index c25444adb4e..e4ddad4ef98 100644
--- a/internal/nix/nix.go
+++ b/internal/nix/nix.go
@@ -174,6 +174,9 @@ func IsExitErrorInsecurePackage(err error, pkgNameOrEmpty, installableOrEmpty st
 		if strings.Contains(string(exitErr.Stderr), "is marked as insecure") {
 			packageRegex := regexp.MustCompile(`Package ([^ ]+)`)
 			packageMatch := packageRegex.FindStringSubmatch(string(exitErr.Stderr))
+			if len(packageMatch) < 2 {
+				return false, nil
+			}
 
 			knownVulnerabilities := []string{}
 			if installableOrEmpty != "" {
diff --git a/internal/nix/nix_test.go b/internal/nix/nix_test.go
index f43c405346d..3088422916d 100644
--- a/internal/nix/nix_test.go
+++ b/internal/nix/nix_test.go
@@ -1,6 +1,7 @@
 package nix
 
 import (
+	"os/exec"
 	"testing"
 )
 
@@ -68,3 +69,22 @@ func TestParseInsecurePackagesFromExitError(t *testing.T) {
 		t.Errorf("Expected package 'python-2.7.18.7', got %s", packages[0])
 	}
 }
+
+func TestIsExitErrorInsecurePackageMissingPackageName(t *testing.T) {
+	// Simulate an exit error whose stderr contains "is marked as insecure"
+	// but lacks the expected "Package <name>" prefix. This defends against
+	// a panic when the regex match is empty in CI/build environments.
+	cmd := exec.Command("sh", "-c", `echo "error: something is marked as insecure, refusing to evaluate." >&2; exit 1`)
+	err := cmd.Run()
+	if err == nil {
+		t.Fatal("expected a command error")
+	}
+
+	insecure, errOut := IsExitErrorInsecurePackage(err, "", "")
+	if insecure {
+		t.Error("expected insecure=false when package name is missing")
+	}
+	if errOut != nil {
+		t.Errorf("expected nil error, got %v", errOut)
+	}
+}